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Foreword 

(Informative) 

Business practice has changed with the introduction of computer-based technologies. The substitution of electronic 
transactions for their paper-based predecessors has reduced costs and improved efficiency. Trillions of dollars in 
funds and securities are transferred daily by telephone, wire services, and other electronic communication 
mechanisms. The high value or sheer volume of such transactions within an open environment exposes the financial 
community and its customers to potentially severe risks from accidental or deliberate alteration, substitution or 
destruction of data. This risk is compounded by interconnected networks, and the increased number and 
sophistication of malicious adversaries. 

Some of the conventional “due care” controls used with paper-based transactions are unavailable in electronic 
transactions. Examples of such controls are safety paper which protects integrity, and handwritten signatures or 
embossed seals which indicate the intent of the originator to be legally bound. In an electronic -based environment, 
controls must be in place that provide the same degree of assurance and certainty as in a paper environment. The 
financial community is responding to these needs. 

This Standard, X9.62-199x, Public Key Cryptography For The Financial Services Industry: The Elliptic Curve 
Digital Signature Algorithm ( ECDSA ), defines a technique for generating and validating digital signatures. 

This standard describes a method for digital signatures using the elliptic curve analog of the Digital Signature 
Algorithm (DS A) (ANSI X9.30-1). 

Elliptic curve systems are public -key (asymmetric) cryptographic algorithms that are typically used: 
t to create digital signatures (in conjunction with a hash algorithm), and 

t to establish secret keys securely for use in symmetric-key cryptosystems. 

The primary advantage of elliptic curve systems is their apparent high cryptographic strength relative to key size. 
The attractiveness of elliptic curve cryptosystems may increase relative to other public-key cryptosystems as 
computing power improvements warrant a general increase in key size. The shorter key sizes may result in 
significantly shorter certificates and system parameters. These potential advantages manifest themselves in many 
ways, including storage efficiencies, bandwidth savings, and computational efficiencies. The computational 
efficiencies may lead in turn to higher speeds, power efficiency, code size reductions, or a combination thereof. 
These potential efficiencies are particularly beneficial in applications such as: 
t high volume transaction systems, 

t wireless communications, 

t hand-held computing (e.g., personal digital assistants), 

t broadcast communications, and 

t smart cards, 

where bandwidth, processing capacity, power availability or storage are constrained. 

When implemented with proper controls, the techniques of this Standard provide: 
t data integrity, and 

t non-repudiation of the message origin and the message contents. 

Additionally, when used in conjunction with a Message Identifier 1 , the techniques of this Standard provide the 
capability of detecting duplicate transactions. It is the Committee’s belief that the proper implementation of this 
Standard should also contribute to the enforceability of some legal obligations. 

The use of this Standard, together with appropriate controls, may have a legal effect, including the apportionment of 
liability for erroneous or fraudulent transactions and the satisfaction of statutory or contractual “due care” 
requirements. The legal implications associated with the use of this Standard may be affected by case law and 
legislation, including the Uniform Commercial Code Article 4A on Funds Transfers (Article 4A). 

The details of Article 4A address, in part, the use of commercially reasonable security procedures and the effect of 
using such procedures on the apportionment of liability between a customer and a bank. A security procedure is 
provided by Article 4A-201 “for the purpose of (i) verifying that a payment order or communication amending or 
canceling a payment order originated is that of the customer, or (ii) detecting an error in the transmission or the 
content of the payment order or communication.” The commercial reasonableness of a security procedure is 
determined by the criteria established in Article 4A-201. 

While the techniques specified in this Standard are designed to maintain the integrity of financial messages and 
provide the service of non-repudiation, the Standard does not guarantee that a particular implementation is secure. It 


1 ANSI X9. 9-1986, Financial Institution Message Authentication (Wholesale). 
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is the responsibility of the financial institution to put an overall process in place with the necessary controls to ensure 
that the process is securely implemented. Furthermore, the controls should include the application of appropriate 
audit tests in order to verify compliance with this Standard. 

Suggestions for the improvement or revision of this Standard are welcome. They should be sent to the X9 Committee 
Secretariat, American Bankers Association, 1 120 Connecticut Avenue, N.W., Washington D.C. 20036. 

This Standard was processed and approved for submittal to ANSI by the Accredited Standards Committee on 
Financial Services, X9. Committee approval of the Standard does not necessarily imply that all the committee 
members voted for its approval. At the time that this Standard was approved, the X9 Committee had the following 
members: 

Harold Deal, Chairman 
Alice Droogan, Vice Chairman 
Cynthia Fuller, Secretariat 

Organization Represented Representative 

[to be furnished] 

The X9F subcommittee on Data and Information Security had the following members: 

Glenda Barnes, Chairman 

Organization Represented Representative 

[to be furnished] 

The X9F1 working group which developed this standard had the following members: 

M. Blake Greenlee, Chairman 

Organization Represented Representative 

[to be furnished] 
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X9.62-199x 

Public Key Cryptography For The Financial Services Industry: 

The Elliptic Curve Digital Signature Algorithm (ECDSA) 

1. Scope 

This Standard defines methods for digital signature (signature) generation and verification for the protection 
of messages and data using the Elliptic Curve Digital Signature Algorithm (ECDSA). 

The ECDSA shall be used in conjunction with the hash function defined in ANSI X9. 30-1993, Part 2, 
Secure Hash Algorithm ( SHA-\){revised ). In addition, this ECDSA Standard provides the criteria for the 
generation of public and private keys that are required by the algorithm and the procedural controls required 
for the secure use of the algorithm. 

2. Definitions, Abbreviations, Symbols and Notation 

2.1. Definitions and Abbreviations 

addition rule An addition rule describes the addition of two elliptic curve points P \ 

and Pi to produce a third elliptic curve point P 2 . (See Sections C.3 and 
C.4.) 


asymmetric 

cryptographic 

algorithm 


A cryptographic algorithm that uses two related keys, a 
public key and a private key; the two keys have the property 
that, given the public key, it is computationally infeasible to derive the 
private key. 


basis 


binary polynomial 
bit string 
certificate 


Certification 
Authority (CA) 


A representation of the elements of the finite field F 2 m. Two special 
kinds of basis are polynomial basis and normal basis. (See Section 
C.2.) 

A polynomial whose coefficients are in the field F 2 . 

A bit string is an ordered sequence of 0’s and l’s. 

The public key and identity of an entity together with some other 
information, rendered unforgeable by signing the certificate with the 
private key of the certifying authority which issued that certificate. In 
this Standard the term certificate shall mean a public -key certificate. 

A Center trusted by one or more entities to create and 
assign certificates. 


characteristic 2 finite field A finite field containing 2'" elements, where m > 1 is an integer. 


compressed form 


Octet string representation for a point using the point compression 
technique described in Section 4.4.1. (See also Section 4.4.2.) 


cryptographic hash A (mathematical) function which maps values from a large (possibly 

very large) domain into a smaller range. The function satisfies the 
following properties: 

1 . it is computationally infeasible to find any input which maps to 
any pre-specified output; 

2. it is computationally infeasible to find any two distinct inputs 
which map to the same output. 


cryptographic key (key) 


A parameter that determines the operation of a cryptographic function 
such as: 
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cryptography 

cryptoperiod 
digital signature 


EC 

ECDSA 

elliptic curve 


elliptic curve key pair 

elliptic curve private key 

elliptic curve public key 

elliptic curve parameters 

elliptic curve point 


1 . the transformation from plaintext to ciphertext and vice versa, 

2. the synchronized generation of keying material, 

3. a digital signature computation or validation. 

The discipline which embodies principles, means and methods for the 
transformation of data in order to hide its information content, prevent 
its undetected modification, prevent its unauthorized use, or a 
combination thereof. 

The time span during which a specific key is authorized for use or in 
which the keys for a given system may remain in effect. 

The result of a cryptographic transformation of data which, when 
properly implemented, provides the services of: 

1 . origin authentication, 

2. data integrity, and 

3. signer non-repudiation. 

Elliptic curve. 

Elliptic curve analog of the Digital Signature Algorithm (DSA) (ANSI 
X9.30, Part 1). 

An elliptic curve is a set of points specified by 2 parameters a and b, 
which are elements of a field F q . The elliptic curve is said to be defined 
over F q ; F q is sometimes called the underlying field. 

If q=p is an odd prime, p > 3, (so the field is F p ). then the Weierstrass 
equation defining the curve is of the form y 1 2 = x 3 + ax + b, where 
((4a 3 + 27b 2 ) mod p) ^ 0. If q is a power of 2 (so the field is F 2 m), then 
the Weierstrass equation defining the curve is of the form 
y 2 + xy = X 3 + ax 2 + b , where b ^ 0. 

Given particular elliptic curve parameters, an elliptic curve key pair 
consists of an elliptic curve private key and the corresponding elliptic 
curve public key. 

Given particular elliptic curve parameters, an elliptic curve private key, 
d, is a statistically unique and unpredictable integer in the interval 
[1, n - 1], where n is the prime order of the base point P. 

Given particular elliptic curve parameters, and an elliptic curve private 
key d, the corresponding elliptic curve public key, Q, is the elliptic 
curve point Q = dP, where P is the base point. Note that Q will never 
equal 0, since 1 < d < n - 1 . 

These parameters specify an underlying field F q , the equation of an 
elliptic curve over F q , an elliptic curve point P of prime order, the order 
n of P, and the cofactor h. (See Section 5.1.) 

If E is an elliptic curve defined over a field F q , then an elliptic curve 
point P is either: 

1 . a pair of field elements (xp, yp) (where xp, yp e F q ) such that 

the values x = x p and y = y P satisfy the equation defining E, or 
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hash value 
hybrid form 

irreducible polynomial 

key 

keying material 

message 

message identifier (MID) 
non-repudiation 
normal basis (NB) 

octet 


octet string 

optimal normal basis 
(ONB) 

order of a curve 

order of a point 

owner 

pentanomial 

pentanomial basis (PPB) 

point compression 


2. a special point G called the point at infinity. 

The result of applying a cryptographic hash function to a message. 

Octet string representation for both the compressed and uncompressed 
forms of an elliptic curve point. (See Section 4.4.2.) 

A binary polynomial fix) is irreducible if it does not factor as a product 
of two binary polynomials, each of degree less than the degree of/(x). 

See cryptographic key. 

The data (e.g., keys, certificates and initialization vectors) necessary to 
establish and maintain cryptographic keying relationships. 

The data to be signed. 

A field which may be used to identify a message. Typically, this field is 
a sequence number. 

This service provides proof of the integrity and origin of data which can 
be verified by a third party. 

A type of basis that can be used to represent the elements of the finite 
field F 2 m. (See Section C.2.3.) 

An octet is a bit string of length 8. An octet is represented by a 
hexadecimal string of length 2. The first hexadecimal digit represents 
the four leftmost bits of the octet, and the second hexadecimal digit 
represents the four rightmost bits of the octet. For example, 9 D 
represents the bit string 1001 1101. An octet also represents an integer 
in the interval [0, 255]. For example, 9 D represents the integer 157. 

An octet string is an ordered sequence of octets. 

A type of normal basis that can be used to represent the 
elements of the finite field F 2 m. (See Section C.2.4.) 

The order of an elliptic curve E defined over the field F q is the number 
of points on E, including 6. This is denoted by #E(F q ). 

The order of a point P is the smallest positive integer n such that nP = 

G (the point at infinity). 

The entity whose identity is associated with a private/public key pair. 

A polynomial of the form X m + X k3 + X kl + X k ' + 1 , where 

1 < k\ < ki < ki < m — 1. 

A type of polynomial basis that can be used to represent the elements of 
the finite field F 2 m. (See Section C.2.2.) 

Let P be a point (x P , y P ) on an elliptic curve E defined over a field F q . 
Point compression allows the point P to be represented using x P and a 
single additional bit y p derived from x P and \> If q is a prime number, 
then y p is equal to the rightmost bit of yp. If q is a power of 2, then y p 
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point compression octet 

C PC) 


polynomial basis (PB) 

prime finite field 
private key 

public key 

reduction polynomial 
scalar multiplication 

The Secure Hash 
Algorithm, Revision 1 
(SHA-1) 

signatory 

statistically unique 

trinomial 

trinomial basis (TPB) 

uncompressed form 

verifier 

x-coordinate 


is 0 if xp = 0; if x P =£ 0, then y p is equal to the rightmost bit of the field 
element y P • x P 1 . The point compression technique is described in 
Section 4.4.1. 

The rightmost bit of PC shall be equal to the value of y p if 
the compressed or hybrid forms are used; otherwise it shall be 0. 

The second and third rightmost bits shall (respectively) be 1 and 0 if the 
compressed form is used. 

The second and third rightmost bits shall (respectively) be 0 and 1 if the 
uncompressed form is used. 

The second and third rightmost bits shall (respectively) be 1 and 1 if the 
hybrid form is used. 

The three rightmost bits shall be 0 to indicate the point at infinity. 

The remaining five bits of the octet shall be set to 0. 

A type of basis that can be used to represent the elements of the finite 
field F 2 m. (See Section C.2.1.) 

A finite field containing p elements, where p is an odd prime number. 

In an asymmetric (public) key system, that key of an entity’s key pair 
which is known only by that entity. 

In an asymmetric key system, that key of an entity’s key pair which is 
publicly known. 

The irreducible binary polynomial fix) of degree m that is used to 
determine a polynomial basis representation of F 2 m. 

If k is a positive integer, then kP denotes the point obtained by adding 
together k copies of the point P. The process of computing kP from P 
and k is called scalar multiplication. 

SHA-1 implements a hash function which maps messages 
of a length less than 2 64 bits to hash values of a length 
which is exactly 160 bits. 

The entity that generates a digital signature on data. 

For the generation of «-bit quantities, the probability of two values 
repeating is less than or equal to the probability of two u-bit random 
quantities repeating. 

A polynomial of the form x" + x + 1 , where 1 < k < m — 1. 

A type of polynomial basis that can be used to represent the elements of 
the finite field F 2 m. (See Section C.2.2.) 

Octet string representation for an uncompressed elliptic curve point. 
(See Section 4.4.2.) 

The entity that verifies the authenticity of a digital signature. 

The x-coordinate of an elliptic curve point, 

P = ( x P , y P ), is x P . 
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2 . 2 . 


v-coordinate The y-coordinate of an elliptic curve point, 

P = (x P , y P ), is y P . 

Symbols and Notation 

[a, b] The interval of integers between and including a and b. 

f al Ceiling: the smallest integer > a. For example, T 5~l = 5 and T 5.3~l = 6. 

LaJ Floor: the largest integer < a. For example, |_5j = 5 and |_5.3j = 5. 

a mod n The unique remainder r, 0 < r < n - 1, when integer a is divided by n. For example, 23 

mod 7 = 2. 

B MOV threshold. A positive integer B such that taking discrete logarithms over F q B is at 

least as difficult as taking elliptic curve logarithms over F q . For this Standard, B shall be 

> 20 . 


d EC private key. 

E An elliptic curve. 

E(F q ) The set of all points on an elliptic curve E defined over F q and including the point at 

infinity 6. 

#E(F I/ ) If E is defined over F q , then #E( F q ) denotes the number of points on the curve (including 

the point at infinity <?). #E(F q ) is called the order of the curve E. 

F 2 m The finite field containing 2'" elements, where m is a positive integer. 

F p The finite field containing p elements, where p is a prime. 

F q The finite field containing q elements. For this Standard, q shall either be an odd prime 

number (p) or a power of 2 (2 m ). 

h h = #E(F q )/n , where n is the order of the base point P. h is called the cofactor. 

k Per-message secret value. For this Standard, k shall be a statistically unique and 

unpredictable integer in the interval [1, n - 1]. 

I The length of a field element in octets; l = [t / 8~|. 

l max Upper bound on the largest prime divisor of the cofactor h. 

log 2 x The logarithm of x to the base 2. 

m The degree of the finite field F 2 ™. 

M Message to be signed. 

M’ Message as received. 

MID Message Identifier. 
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mod modulo. 

mod n arithmetic modulo n. 

n The order of the point P. For this Standard, n shall be a prime number, n is the 

primary security parameter. In general, as n increases, the security of ECDS A also 
increases. See Appendix D for more information. 

G A special point on an elliptic curve, called the point at infinity. This is the additive 

identity of the elliptic curve group. 

p An odd prime number. 

P A distinguished point (x P , y P ) on an elliptic curve called the base point. 

Q EC public key. 

r min Lower bound on the desired (prime) order n of the base point P. For this Standard r mm 

shall be >2 160 . 

t The length of a field element in bits; t = T log 2 q\. In particular, if q = 2 m , then a field 

element in TV" can be represented as a bit string of bit length t = m. 

T In the probabilistic primality test (Section F.2.1), the number of independent test rounds 

to execute. For this Standard T shall be >50. 

Tr Trace function. (See Section G.1.5.) 

IIXII Length in octets of the octet string X. 

X\\ Y Concatenation of two strings X and Y. X and Y are either both bit strings, or both octet 

strings. 

X © Y Bitwise exclusive-or of two bit strings X and Y of the same bit length. 

y p The representation of the y-coordinate of a point P when point compression is used. 

Z p The set of integers modulo p, where p is an odd prime number. 

3. Application 

3.1. General 

When information is transmitted from one party to another, the recipient may desire to know that the 
information has not been altered in transit. Furthermore, the recipient may wish to be certain of the 
originator’s identity. Both of these services can be provided through the appropriate use of the ECDSA. 

A digital signature is an electronic analog to a written signature and may be used in proving to a third party 
that the information was, in fact, signed by the claimed originator. Unlike their written counterparts, digital 
signatures also verify the integrity of information. Digital signatures may also be generated for stored data 
and programs so that the integrity of the data and programs may be verified at any later time. 
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3.2. The Use of the ECDSA Algorithm 

The ECDSA is used by a signatory to generate a digital signature on data and by a verifier to verify the 
authenticity of the signature. Each signatory has a public and private key. The private key is used in the 
signature generation process, and the public key is used in the signature verification process. For both 
signature generation and verification, the message, M, is compressed by means of the Secure Hash 
Algorithm (SHA) specified in ANSI X9.30-199x, Part 2, Secure Hash Algorithm (SI I A- 1 ) ( Revised) prior 
to the signature generation and verification process. An adversary, who does not know the private key of the 
signatory, cannot generate the correct signature of the signatory. In other words, signatures cannot be 
forged. However, by using the signatory’s public key, anyone can verify a validly signed message. 

The user of the public key of a private/public key pair requires assurance that the public key represents the 
owner of that key pair. That is, there must be a binding of an owner’s identity and the owner’s public key. 
This binding may be certified by a mutually trusted party. This may be accomplished by using a 
Certification Authority which generates a certificate in accordance with ANSI X9.57, Certificate 
Management . 

This Standard provides the capability of detecting duplicate messages and preventing the replay of 
messages when the signed message includes: 

1 . the identity of the intended recipient, and 

2. a MID. 

The MID shall not repeat during the cryptoperiod of the underlying private/public key pair. Appendix A of 
ANSI X9.9-1986 provides information on the use of unique MIDs. 

3.3. Control of Keying Material 

In the ECDSA asymmetric cryptographic system, the integrity of signed data is dependent upon: 

1 . the prevention of unauthorized disclosure, use, modification, substitution, insertion, and deletion of 
the private key, d, and the per-message value, k, and 

2. the prevention of unauthorized modification, substitution, insertion, and deletion of elliptic curve 
parameters for the ECDSA computation procedures. 

Therefore, if d is disclosed, the integrity of any message signed using that d can no longer be assured. 
Similarly, the values for the elliptic curve parameters must be protected. 

3.4. Appendices 

The Appendices to this Standard provide additional requirements and information on the ECDSA and its 
implementation. 
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4. Mathematical Conventions 

4.1. Finite Field Arithmetic 

This section describes the representations that shall be used for the elements of the underlying finite field 
F q . Implementations with different internal representations that produce equivalent results are allowed. 
Mathematics background and examples are provided in Appendix C. 

4.1.1. The Finite Field F p 

The elements of the finite field F p are the integers {(), 1, 2, p - 1 }. 

i) The multiplicative identity element is the integer 1 . 

ii) The zero element is the integer 0. 

iii) Addition of field elements is performed modulo p. 

iv) Multiplication of field elements is performed modulo p. 


4.1.2. The Finite Field F 2 m 

The elements of the finite field F 2 m are the bit strings of bit length m. 


There are numerous methods for representing the elements of the finite field F 2 m. Two such methods are a 
polynomial basis (PB) representation (see Section C.2.1) and a normal basis (NB) representation (see 
Section C.2.3). A trinomial basis (TPB) and a pentanomial basis (PPB) are special types of polynomial 
bases; these bases are described in Section 4.1.3. An optimal normal basis (ONB) is a special type of 
normal basis; these bases are described in Section 4.1.4. 

One of TPB, PPB, or ONB shall be used as the basis for representing the elements of the finite field F 2 m in 
implementing this Standard, as described in Sections 4.1.3 and 4.1.4 . The choice of representation does not 
affect the security of the ECDSA. Section G.2.3 describes one method for converting the elements of F 2 m 
from one representation to another. 

4.1.3. Trinomial and Pentanomial Basis Representation 

A polynomial basis representation of F 2 m over F 2 is determined by an irreducible polynomial fix) of degree 
m over F 2 , f(x ) is called the reduction polynomial. The set of polynomials {x ml , x"'~ 2 , ... , x, 1 } forms a basis 
of F 2 m over F 2 , called a polynomial basis. The elements of F 2 m are the bit strings of a bit length which is 
exactly m. A typical element a e F 2 m is represented by the bit string a = (a m _ \a m _ 2 . . .oqao), which 
corresponds to the polynomial a(x) = a mA x mA + a m _ 2 x m2 +...+ ayx + a Q . 

i) The multiplicative identity element (1) is represented by the bit string (00. . .001). 

ii) The zero element (0) is represented by the bit string of all 0’s. 

iii) Addition of two field elements is accomplished by XORing the bit strings. 
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iv) Multiplication of field elements a and b is defined as follows. Let r(x) be the remainder polynomial 
obtained upon dividing the product of the polynomials a(x) and b(x) by f(x). Then a • b is defined 
to the bit string corresponding to the polynomial r(x). 

See Section C.2.1 for further details and an example of a polynomial basis representation. 

A trinomial over F 2 is a polynomial of the form x m + x + 1 where 1 < k < m — 1. A pentanomial over F 2 
is a polynomial of the form X m + X kl + X kl + X k ' + 1, where 1 < k\ <ki < kt < m — 1. 

A trinomial basis representation of F 2 m is a polynomial basis representation determined by an irreducible 
trinomial / (x) = X m + X k + 1 of degree m over F 2 . Such trinomials only exist for certain values of m. 
Table E-2 in Appendix E lists an irreducible trinomial of degree m over F 2 for each m, 1 60 < ill < 2000, 
for which an irreducible trinomial of degree m exists. For each such m, the table lists the smallest k for 
which x m + x + 1 is irreducible over F 2 

A pentanomial basis representation of F 2 m is a polynomial basis representation determined by an 
irreducible pentanomial / ( X ) = X m + X ki + X kl + X kl + 1 of degree m over F 2 . Such pentanomials exist 
for all values of m > 4. Table E-3 in Appendix E lists an irreducible pentanomial of degree m over F 2 for 
each m, 160 < m < 2000, for which an irreducible trinomial of degree m does not exist. For each such in, 
the table lists the triple (k h k 2 , k 3 ) for which (i) X m + X h + X kl + X h + 1 is irreducible over F 2 , (ii) k l is 
as small as possible; (iii) for this particular value of k h k 2 is as small as possible; and (iv) for these 
particular values of ki and k 2 , k 3 is as small as possible, 
a. Rules for selecting a trinomial and pentanomial basis representation 

1 . If a polynomial basis representation is used for F 2 m where there exists an irreducible trinomial of 
degree m over F 2 , then the reduction polynomial shall be an irreducible trinomial of degree in over 
F 2 . To maximize the chances for interoperability, the reduction polynomial used should be x" + x 
+ 1 for the smallest possible k. Examples of such polynomials are given in Table E-2 in Appendix 
E. 

2. If a polynomial basis representation is used for F 2 m where there does not exist an irreducible 
trinomial of degree in over F 2 , then the reduction polynomial shall be an irreducible pentanomial 
of degree m over F 2 . To maximize the chances for interoperability, the reduction polynomial used 
should be X m + X k 3 + X k2 + X k ' + 1, where (i) k { is as small as possible; (ii) for this particular 
value of k\, k 2 is as small as possible; and (iii) for these particular values of k\ and k 2 , k 3 is as small 
as possible. Examples of such polynomials are given in Table E-3 in Appendix E. 


4.1.4. Optimal Normal Basis Representation 

Optimal normal bases (ONB) over F 2 only exist in F 2 m for certain values of m. Table E-l in Appendix E 
lists all the values of m, 160 < m < 2000, for which the field F 2 m has an ONB over F 2 . There are two kinds 
of ONB, called type I ONB and type II ONB. The difference between the two types of optimal normal bases 
is in the mathematical formulas which define them; these mathematical formulas are presented in Section 
4.1.4.a.l. 2 In the case that a finite field Fy« has both a type I and a type II ONB, the type II ONB shall be 
used. 

The elements of the finite field F 2 m are the bit strings of bit length which is exactly m. A typical element a e 
F 2 m is represented by the bit string a = (aoa\...a m . 2 a m .i). 

i) The multiplicative identity element (1) is represented by the bit string of all l’s. 

ii) The zero element (0) is represented by the bit string of all 0’s. 

iii) Addition of two field elements is accomplished by XORing the bit strings. 

iv) Multiplication of field elements is facilitated by the pre-computation of the product terms X lr 0 < i, 
j <m - 1 ; a constructive definition of the product terms is given below. An example of computing 


2 Reference [31] provides mathematical definitions of type I and type II ONB. 
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the product terms is given in Section C.2.4. Note that there are other ways to determine these 
product terms. 

4.1. 4. a. Setup for multiplication in F 2 m using an optimal normal basis 

representation 

A polynomial g(x) = a m .\X mA + a m . 2 x m ' 2 + ...+ a pr + a 0 (where each a, is in the binary field F 2 ) will 
be represented by the bit string: 

of length m. For example, the polynomial g(x) = x + x 3 + 1 is represented by the bit string 1 1001 
of length m = 5. 

1. If F 2 m only has a type I ONB, then let fix) = x m + x mA + ...+ x 2 + x +1. Otherwise, if F 2 m 
has a type II ONB, then compute /(x) = fjx) using the following recursive formulas: 

m = i, 

fl(x) = x+ 1, 

fi+i(x) = xf(x ) +f. i(x), i > 1. 

At each stage, the coefficients of the polynomials f(x) are reduced modulo 2. Hence /(x) 
is a polynomial of degree m with coefficients in F 2 . The set of polynomials {x, x 2 mod 
fix), x 2 mod/(x), . . . , x 2 ' n * mod /(x) } forms a basis of F 2 m over F 2 , called a normal basis. 

2. Construct the m X m matrix A whose i row, 0 < i < m - 1, is the bit string corresponding 

to the polynomial x mod/(x). (The rows and columns of A are indexed by the integers 
from 0 to m - 1.) The entries of A are elements of F 2 . 

3. Determine the inverse matrix A' 1 of A. 

4. Construct the m X m matrix T whose ; th row, 0 <i<m - 1, is obtained as follows. 

2 1 

a. Compute the polynomial x • x~ mod fix) and let the corresponding bit string be 
denoted v; 

b. the / th row of T is the bit string vA' 1 . 

5. Determine the product terms X,j, for 0 < i, j < m - 1, as follows: 

X, = T(j-i, - i ). 

Here, T(i,j) denotes the (i,y)-entry of T with indices reduced modulo m. Each product 
term X,-, is an element of Fi . 

It is the case that X 0/ = 1 for precisely one J, 0 <j < m - 1, and that for each i, 1 < i < m - 1, 
Xjj = 1 for precisely two distinct j, 0 < j <m - 1. Hence, exactly 2m -1 of the m 2 entries of 
the matrix T are 1, the rest being 0. (As 2m -1 nonzero entries is the minimum possible, 
this normal basis is called an optimal normal basis.) 

4.1. 4. b. Multiplication in F 2 m using an optimal normal basis 

Let a = ( aoa\a 2 . . .a m . i) and b = (bobfii. ■ -b m . i) be two elements in F 2 m. Then the product of a and b 
is the field element c = (coCiC 2 ...c m ,{), where the coefficients c k are computed using the formula: 

m — 1 m— 1 

Ct = H L a >+k b i+k 'Xij,0<k< m- 1 , 

>'= 0 1=0 

where all subscripts are reduced modulo m. The quantities X ,, are the product terms defined in 
Section 4. 1.4. a. 

An example of field arithmetic using an optimal normal basis representation is given in Section 
C.2.4. 

4.1.5. Fields F 2 m Having Both ONB and TPB. 

Table E-4 in Appendix E lists the values of m, 160 < m < 2000, for which the field F 2 m has both an optimal 
normal basis representation (ONB) and a trinomial basis representation (TPB). 
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4.2. Data Representation 

The data types in this Standard are octet strings, integers, field elements and elliptic curve points. Figure 1 
provides a cross-reference for the sections defining conversions between data types that shall be used in the 
algorithms specified in this Standard. The number on a line is the section number where the conversion 
technique is specified. Examples of conversions are provided in Section H.l. 

4.2.1. Integer-to-Octet-String Conversion 

Input: A non-negative integer x, and the intended length k of the octet string satisfying: 

2 >x. 

Output: An octet string M of length k octets. 

1 . Let Mi, Mi, ..., M k be the octets of M from leftmost to rightmost. 

2. The octets of M shall satisfy: 

x=Yj 2 8( *-°Mi. 

i=l 

4.2.2. Octet-String-to-Integer Conversion 

Input: An octet string M of length k octets. 

Output: An integer x. 

1 . Let Mi, Mi, ..., M k be the octets of M from leftmost to rightmost. 

2. M shall be converted to an integer x satisfying: 

x=Yj 2 H<k ~‘ > M,. 

i=i 



Figure 1 Data Types and Conversion Conventions. 

4.3. Finite Field Element Representations 
4.3.1. Field-Element-to-Octet-String Conversion 

Input: An element a in the field F q 

Output: An octet string S of length / = \t / 8l octets, where ; = T log 2 q\. 

1. If q is an odd prime, then a must be an integer in the interval [0, q - 1]; a shall be 

converted to an octet string of length l octets using the technique specified in Section 4.2.1. 
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2. If q = 2'", then a must be a bit string of length m bits. Let Si, s 2 , . . s m be the bits of a 

from leftmost to rightmost Let Si, S 2 , . . S/ be the octets of S from leftmost to rightmost. The 
rightmost bit s m shall become the rightmost bit of the last octet Si, and so on through the leftmost 
bit Si, which shall become the (81 - m + l) th bit of the first octet Si. The leftmost (81 - m) bits of the 
first octet Si shall be zero. 

4.3.2. Octet-String-to-Field-Element Conversion 

Input: An indication of the field F q used, and an octet string S of length l = \t / 8~l octets, where 

t = T log 2 q I. 

Output: An element a in F q . 

1. If q is an odd prime, then convert S to an integer a using the technique specified in 
Section 4.2.2. It is an error if a does not lie in the interval [0, q - 1], 

2. If q = 2'", then a shall be a bit string of length m bits. Let s\, ,s 2 , . . ., s,„ be the bits of a 

from leftmost to rightmost. Let Si, S 2 , . . ., S; be the octets of S from leftmost to rightmost. The 

rightmost bit of the last octet S/ shall become the rightmost bit s ,„ , and so on through the (81 - 

m + l) th bit of the first octet Si, which shall become the leftmost bit s\. The leftmost (81 - m) bits of 
the first octet Si are not used. 

4.3.3. Field-Element-to-Integer Conversion 

Input: An element a in the field F q . 

Output: An integer x. 

1 . If q is an odd prime then x = a (no conversion is required). 

2. If q = 2'", then a must be a bit string of length m bits. Let Si, s 2 , . . ., s m be the bits of a 

from leftmost to rightmost, a shall be converted to an integer x satisfying: 

m 

X =Y J 2 im i) Si. 

i=l 

4.4. Elliptic Curve Point Representations 

An elliptic curve point P (which is not the point at infinity 6 ) is represented by two field elements, the x- 
coordinate of P and the y-coordinate of P: P = (xp, yp). The point can be represented compactly by storing 
only the x-coordinate x P and a certain bit y p derived from the x-coordinate x P and the y-coordinate y P . The 
next subsection describes the technique that shall be used to recover the full y-coordinate y P from xp and 
y p , if this point compression technique is used. 

4.4.1. Point Compression Technique 

4.4.1. a. Point compression technique (elliptic curves over F p ) 

Let P = (x P , y P ) be a point on the elliptic curve E : y 2 = x 3 + ax + b defined over a prime field F p . 
Then y p is defined to be the rightmost bit of y P . 

When the x-coordinate xp of P and the bit y p are provided, then y P can be recovered as follows. 

1. Compute the field element a = Xp + ax P + b mod p. 

2. Compute a square root p of a mod p. (See Section G.1.4.) It is an error 
if the output of G.1.4 is “no square roots exist”. 

3. If the rightmost bit of p is equal to y p , then set y P = p. Otherwise, set y P 

= P~ P- 

4.4.1. b. Point compression technique (elliptic curves over F 2 m) 

Let P = (xp, yp) be a point on the elliptic curve E : y 2 + xy = x 3 + ax 2 + b defined over a field F 2 m. 
Then y p is defined to be 0 if Xp = 0; if xp ^ 0, then y p is defined to be the rightmost bit of the 
field element y P • x P l . 

When the x-coordinate xp of P and the bit y p are provided, then y P can be recovered as follows. 
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1 1 

1. If x P = 0, then y P = b . ( y P is the square root of b in F 2 m.) 

2. If x P =£ 0, then do the following: 

1.1 Compute the field element p = x P + a + bx P 2 in F 2 m. 

1 .2 Find a field element z such that t + z = P using the algorithm described in 

Section G.1.6. It is an error if the output of G.1.6 is “no solutions exist”. 

1.3 Let z be the rightmost bit of z. 

1.4 If yp ^ z , then set z = z + 1. 

1 .5 Compute y P = x P • z. 

4.4.2. Conversions 

The octet string representation of the point at infinity 6 shall be a single zero octet PC = 00. 

An elliptic curve point (x u y , ) which is not the point at infinity shall be represented as an octet string in one 
of the following three forms: 

1 . compressed form. 

2. uncompressed form. 

3. hybrid form (an uncompressed point which also includes yi). 

4.4.2. a. Point-to-Octet-String conversion 

Input: An elliptic curve point (x u Vi), not the point at infinity. 

Output: An octet string PO of length / + 1 octets if the compressed form is used, or of 

length 2/ + 1 octets if the uncompressed or hybrid form is used. (I = [ (log 2 q) / 

8l.) 

1. Convert the field clement X\ to an octet string X x . (See Section 4.3.1.) 

2. If the compressed form is used, then do the following: 

2(a) Compute the bit y, . (See Section 4.4.1.) 

2(b) Assign the value 02 to the single octet PC if _V , is 0, or the value 03 if V i is 1. 

2(c) The result is the octet string PO = PC II X t . 

3. If the uncompressed form is used, then do the following: 

3(a) Convert the field element to an octet string Y t . (See Section 4.3.1.) 

3(b) Assign the value 04 to the single octet PC. 

3(c) The result is the octet string PO = PC II X\ Ilf). 

4. If the hybrid form is used, then do the following: 

4(a) Convert the field element y { to an octet string Y x . (See Section 4.3.1.) 

4(b) Compute the bit . (See Section 4.4.1.) 

4(c) Assign the value 06 to the single octet if y, is 0, or the value 07 if y t is 1 . 

4(d) The result is the octet string PO = PC II X t II L. 

4.4.2. b. Octet-String-to-Point conversion 

Input: An octet string PO of length / + 1 octets if the compressed form is used, or of 

length 2/ + 1 octets if the uncompressed or hybrid form is used (7 = | (log 2 q) / 
8l), and field elements a, b which define an elliptic curve over F, r 
Output: An elliptic curve point (x t , V|), not the point at infinity. 

1. If the compressed form is used, then parse PO as follows: PO = 

PC II Xi , where PC is a single octet, and A is an octet string of length / octets. If 
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uncompressed or hybrid form is used, then parse PO as follows: PC) = PC II X\ Ilk), where 
PC is a single octet, and Xi and Y\ are octet strings each of length / octets. 

2. Convert X\ to a field element X\. (See Section 4.3.2.) 

3. If the compressed form is used, then do the following: 

3(a) Verify that PC is either 02 or 03. (It is an error if this is not the case.) 

3(b) Set the bit y , to be equal to 0 if PC = 02, or 1 if PC = 03. 

3(c) Convert (x h y , ) to an elliptic curve point (x\, )’]). (See Section 4.4.1.) 

4. If the uncompressed form is used, then do the following: 

4(a) Verify that PC is 04. (It is an error if this is not the case.) 

4(b) Convert Yi to a field element yi. (See Section 4.3.2.) 

5. If the hybrid form is used, then do the following: 

5(a) Verify that PC is either 06 or 07. (It is an error if this is not the case.) 

5(b) Convert Y ] to a field element y h (See Section 4.3.2.) 

6. If q is a prime, verify that yC = X\ ' + ClX i + b (mod p) . (It is an error if this is not 
the case.) 

If q = 2 m , verify that yC + Xiy\ = X| 3 + axC + b in F 2 m. (It is an error if this is not the 
case.) 

7. The result is (x\, yi). 

5. The Elliptic Curve Digital Signature Algorithm (ECDSA) 

This section specifies the process of elliptic curve parameter generation and their validation, key generation 
and validation, and the calculations needed for generation and verification of signatures. Equivalent 
computations that result in identical output are allowed. 

5.1. Elliptic Curve Parameter Generation and Validation 

Elliptic curve parameters may either be common to several key pairs ( common elliptic curve parameters ) or 
specific to one key pair ( specific elliptic curve parameters). The elliptic curve parameters may be public; 
the security of the system does not rely on these parameters being secret. The elliptic curve may either be 
randomly generated in a verifiable manner or in any manner the user chooses (see Section F.3.2). Two cases 
are distinguished: 

1 . when the underlying field is F p (p an odd prime), and 

2. when the underlying field is F 2 ’"- 

Note that n is the primary security parameter. In general, as n increases, the security of ECDSA also 
increases. See Appendix D for more information. 

5.1.1. Elliptic Curve Parameters and their Validation Over F p 

5.1.1. a. Elliptic curve parameters over F p 

Elliptic curve parameters over F p shall consist of the following parameters: 

a. A field size q = p which defines the underlying finite field F q , where p 
> 3 shall be a prime number; 

b. (Optional) A bit string SEED of length at least 160 bits, if the elliptic 
curve was randomly generated in accordance with Section F.3.3; 

c. Two field elements a and b in F q which define the equation of the 
elliptic curve E : y 2 = x 3 + ax+ b\ 

d. Two field elements x P and y P in F q which define a point P = ( x P ,y P ) of 
prime order on E (note that P X 6)\ 

e. The order n of the point P (it must be the case that n > 2 160 ); and 

f. The cofactor h = #E(F q )/n. 
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Section F.3.2 specifies the method that shall be used for generating an elliptic curve E over F p and 
the point P of order n. 

5.1. 1.b. Elliptic curve parameter validation over F p 

The following conditions shall be verified by the generator of the system parameters. These 
conditions may alternately be verified by a user of the system parameters. 

a. Verify that q = p is an odd prime number. (Use one of the primality 
tests in Sections F.2.1 and F.2.3.) 

b. Verify that a, b, x P and y P are integers in the interval [0, p - 1], 

c. If the elliptic curve was randomly generated in accordance with Section 
F.3.3, verify that SEED is a bit string of length at least 160 bits, and that a and b were 
suitably derived from SEED. (See Section F.3.4.b.) 


d. 


Verify that (4a 3 + 21b 2 ) 0 (mod p). 

e. 


Verify that y 2 P = x 3 P + ax P + b (mod p). 

f. 


Verify that n is prime and that n > 2 160 . (See Sections F.2.1 and F.2.3.) 

g- 


Verify that nP = 6. (See Section G.3.2.) 

h. 

h\ 

If n > 4 tJp then compute h ’ = | _(-\[p + 1) 2 / w j, and verify that li = 

i. 

Verify that the MOV and Anomalous conditions hold. (See Section 


F.l.) 



If any of the above verifications fail, then reject the elliptic curve parameters. 

Notes: 

1 . The cofactor h is not used in ECDS A, but is included here for 
compatibility with ANSI X9.63 where it is needed. 

2. Step h of Section 5. 1 . 1 ,b (and also step h of Section 5.1.2.b) verifies 
that the value of the cofactor h is correct in the case that )l > 4yfq . In the case that 

n < 4-yjq, there are efficient methods for verifying the cofactor h, but these methods are 
not described here for the following reason: elliptic curves used in practice usually have n 
~ q, and hence the condition n > 4-Jq will be satisfied. 

5.1.2. Elliptic Curve Parameters and their Validation Over F 2 m 

5. 1.2. a. Elliptic curve parameters over F 2 m 

Elliptic curve parameters over F 2 m shall consist of the following parameters: 

a. A field size q = 2'" which defines the underlying finite field F q , an 
indication of the basis used to represent the elements of the field (TPB, PPB or ONB), 
and a reduction polynomial of degree m over F 2 if the basis used is a TPB or PPB; 

b. (Optional) A bit string SEED of length at least 160 bits, if the elliptic 
curve was randomly generated in accordance with Section F.3.3; 

c. Two field elements a and b in F q which define the equation of the 
elliptic curve E : y 2 + xy = x 3 + ax 2 + b\ 

d. Two field elements x P and y P in F q which define a point P = {x P ,y P ) of 
prime order on E (note that P ^ 6)\ 

e. The order n of the point P (it must be the case that n > 2 160 ); and 

f. The cofactor h = #E(F q )/n. 

Section F.3.2 specifies the method that shall be used for generating an elliptic curve E over F 2 m 

and the point P of order n. 
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5.1. 2.b. Elliptic curve parameter validation over F 2 m 

The following conditions shall be verified by the generator of the system parameters. These 

conditions may alternately be verified by a user of the system parameters. 

a. Verify that q = 2'" for some m. If the basis used is a TPB, verify that the 
reduction polynomial is a trinomial and is irreducible over F 2 (see Table E-2 or Section 
G.2.4). If the basis used is a PPB, verify that an irreducible trinomial of degree m does 
not exist, and that the reduction polynomial is a pentanomial and is irreducible over F 2 
(see Table E-3 or Section G.2.4). If the basis used is an ONB, verify that an optimal 
normal basis exists for F 2 m (see Table E-l or Section G.1.8). 

b. Verify that a, b , x P and y P are bit strings of length m bits. 

c. If the elliptic curve was randomly generated in accordance with F.3.3, 
verify that SEED is a bit string of length at least 160 bits, and that b was suitably derived 
from SEED. (See Section F.3.4.a.) 


d. 

e. 

f. 
g- 
h. 


Verify that b ^ 0. 

Verify that y 1 P + x P y P = x 3 P + ax 2 P + b in F 2 m. 

Verify that n is prime and that n > 2 160 . (See Sections F.2.1 and F.2.3.) 
Verify that nP = G. (See Section G.3.2.) 

If n > 4-yJq then compute h ’ = |_(-\/<7 + 1) 2 / n J, and verify that h = h 


F.l.) 


Verify that the MOV and Anomalous conditions hold. (See Section 


If any of the above verifications fail, then reject the elliptic curve parameters. 

5.2. Key Generation and Validation 
5.2.1. Key Generation 

Given particular elliptic curve parameters, an elliptic curve key pair shall be generated by performing the 
following operations: 

1. Select a statistically unique and unpredictable integer d in the interval [l,n-l]. It is 

acceptable to use a random or pseudorandom number. If a pseudorandom number is used, it shall 
be generated using one of the procedures of Secton F.4. If a pseudorandom number is used, 
optional information to store with the private key are the seed values and the particular 
pseudorandom generation method used. Storing this optional information helps allow auditing of 
the key generation process. 


If a pseudorandom generation method is used, the seed values used in the generation of d may be 
determined by internal means, be supplied by the caller, or both — this is an implementation choice. 
In all cases, the seed values have the same security requirements as the private key value. That is, 
they must be protected from unauthorized disclosure and be unpredictable. 


2. Compute the point Q = (xq, Vq) = dP. (See Section G.3.2.) 

3. The key pair is ( Q , d ), where Q is the public key, and d is the private key. 


5.2.2. Key Validation 

Given particular elliptic curve parameters and a public key Q, the public key may be verified as follows. 

1. Verify that Q is not the point at infinity 6. 

2. Verify that Xq and y Q are elements in the field F, r where Xq and Yq are the x and y coordinates of Q , 
respectively. (That is, verify that Xq and y Q are integers in the interval [0, p - 1] in the case that q = 
p is an odd prime, or that xq and y Q are bit strings of length m bits in the case that q = 2 m .) 

If q = p is an odd prime, verify that y 2 g = Xq + aXQ + b (mod p). If q = 2'", verify that 

y 2 Q + XQyQ = Xq + axg + b in F 2 m. 


3. 
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4. Verify that nQ = 0. (See Section G.3.2.) 

If any one of the above verifications fail, then reject the public key. 

Note: If there is more than one public key available, it may also be checked that no two public keys are the 
same. 

5.3. Signature Generation 

This section describes the ECDSA signature generation process. 

The signature generation process consists of message digesting, elliptic curve computations, and modular 
computations. 

The input to the signature process is: 

1. the message, M, of an arbitrary length, which is represented by a bit string. 

2. elliptic curve parameters: q, a, b, P = (x>, v>), and n. 

3. an elliptic curve private key, d. 

5.3.1. Message Digesting 

Compute the hash value e = H(M) using the hash function SHA-1 as specified in ANSI X9. 30-1993, Part 2. 
e is represented as an integer with a length of 160 bits. 

5.3.2. Elliptic Curve Computations 

1. Select a statistically unique and unpredictable integer k in the interval [l,n-l]. It is 

acceptable to use a random or pseudorandom number. If a pseudorandom number is used, it shall 
be generated using one of the procedures of Section F.4. 

(a) If a pseudorandom generation method is used, the seed values used in the 
generation of k may either be determined by internal means, be supplied by the caller, or 
both — this is an implementation choice. In all cases, the seed values have the same 
security requirements as the private key value. That is, they must be protected from 
unauthorized disclosure and be unpredictable. 

(b) If the implementation allows a seed supplied by the caller, then the physical 
security of the device is of utmost importance. This is because if an adversary gained 
access to the signature generation device and were able to generate a signature with a seed 
of its choice for the per-message secret k, then the adversary could easily recover the 
private key. 

Compute the elliptic curve point (x\, y [ ) = kP. (See Section G.3.2.) 

Convert the field element X\ to an integer Aj , as described in Section 4.3.3. 

Set r = X l mod n. 

If r = 0, then go to step 1 . 

5.3.3. Modular Computations 

1. Compute s = k \e + dr) mod n. (See Section G.1.2. for one method to compute k ] mod n.) 

2. If s = 0, then go to step 1 of Section 5.3.2. 

5.3.4. The Signature 

The signature for M shall be the two integers, r and s, as computed in Sections 5.3.2 and 5.3.3. 

Note: As an optional security check (to guard against malicious or non-malicious errors in the signature 

generation process), the signer may verify that (r, s) is indeed a valid signature for message M using the 
signature verification process described in Section 5.4. 

5.4. Signature Verification 

This section describes the ECDSA signature verification process. 


2 . 

3. 

4. 

5. 
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The signature verification process consists of message digesting, elliptic curve computations, and signature 
checking. 

The input to the signature verification process is: 

1. the received message, M\ represented as a bit string. 

2. the received signature for M , represented as the two integers, r ’ and ,v ’. 

3. elliptic curve parameters: q, a, b, P - (T>, \>), and n. 

4. an elliptic curve public key, Q. 

5.4.1. Message Digesting 

Compute the hash value e = H(M’) using the hash function SHA-1 as specified in ANSI X9. 30-1993, Part 2. 
e is represented as an integer with a length of 160 bits. 

5.4.2. Elliptic Curve Computations 

1. If r’ is not an integer in the interval [1, n -1], then reject the signature. 

2. If s’is not an integer in the interval [1, n -1], then reject the signature. 

3. Compute c = (s’)' 1 mod n. (See Section G.1.2.) 

4. Compute ui = ec mod n and u 2 = r’cmod n. 

5. Compute the elliptic curve point (x lt y{) = U\P + u 2 Q (see Section G.3.2). (If u x P + u 2 Q is the 
point at infinity, then reject the signature.) 

5.4.3. Signature Checking 

1. Convert the field element X\ to an integer X l , as described in Section 4.3.3. 

2. Compute v = ,Vj mod n. 

3. If r’ = v, then the signature is verified, and the verifier has a high level of confidence that the 
received message was sent by the party holding the secret key d corresponding to Q. 

If r’does not equal v, then the message may have been modified, the message may have been 

incorrectly signed by the signatory, or the message may have been signed by an impostor. 
The message shall be considered invalid. 

6. ASN.1 Syntax 

This section provides the syntax for elliptic curve parameters and keys according to Abstract Syntax 
Notation One (ASN . 1). While it is not required that elliptic curve parameters and keys be represented with 
ASN . 1 syntax, if they are so represented, then their syntax shall be as defined here. These ASN.l definitions 
shall be encoded using Distinguished Encoding Rules (DER). 

The object identifier ansi-X9 . 62 represents the root of the tree containing all object identifiers defined 
in this Standard, and has the following value: 

ansi-X9-62 OBJECT IDENTIFIER ::= { iso(l) member-body (2 ) us (840) 10045 } 

6.1. Syntax for Finite Field Identification 

This section provides the abstract syntax definitions for the finite fields defined in this Standard. 

A finite field shall be identified by a value of type FieldID: 

FieldID { FIELD-ID : IOSet } ::= SEQUENCE { 

f ieldType FIELD-ID . &id ({ IOSet }) , 

parameters FIELD-ID . &Type ({ IOSet }{ @ f ieldType } ) OPTIONAL 

} 


FieldTypes FIELD-ID 
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{ Prime-p IDENTIFIED 

{ Characteristic-two IDENTIFIED 


BY prime-field } 

BY characteristic-two-field }, 


} 

FIELD-ID ::= TYPE-IDENTIFIER 

Note: 

FieldID is a parameterized type composed of two components, f ieldType and parameters. These 
components are specified by the fields &id and &Type, which form a template for defining sets of 
information objects, instances of the class FIELD-ID. This class is based on the useful information object 
class TYPE-IDENTIFIER, described in X.681 Annex A. In an instance of FieldID, “f ieldType” 
will contain an object identifier value that uniquely identifies the type contained in “parameters”. The 
effect of referencing “f ieldType” in both components of the f ieldID sequence is to tightly bind the 
object identifier and its type. 

The information object set FieldTypes is used as the single parameter in a reference to type FieldID. 
FieldTypes contains two objects followed by the extension marker (“...”). Each object, which represents 
a finite field, contains a unique object identifier and its associated type. The values of these objects define 
all of the valid values that may appear in an instance of f ieldID. The extension marker allows backward 
compatibility with future versions of this standard which may define objects to represent additional kinds of 
finite fields. 

The object identifier id-f ieldType represents the root of a tree containing the object identifiers of 
each field type. It has the following value: 

id-f ieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(l) } 

The object identifiers prime-field and characteristic-two-field name the two kinds of 
fields defined in this Standard. They have the following values: 

prime-field OBJECT IDENTIFIER ::= { id-f ieldType 1 } 
characteristic-two-field OBJECT IDENTIFIER ::= { id-f ieldType 2 } 

Prime-p : := INTEGER — Field size p 
Characteristic-two ::= SEQUENCE { 

m INTEGER, — Field size 2~m 

basis CHARACTERISTIC-TWO. &id ( {BasisTypes } ) , 

parameters CHARACTERISTIC-TWO . &Type ( { BasisTypes } { @basis } ) 

} 

BasisTypes CHARACTERISTIC-TWO :: = { 

{ NULL IDENTIFIED BY onBasis } 

{ Trinomial IDENTIFIED BY tpBasis } | 

{ Pentanomial IDENTIFIED BY ppBasis }, 


} 


Trinomial ::= INTEGER 
Pentanomial ::= SEQUENCE { 


kl INTEGER, 
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k2 INTEGER, 
k3 INTEGER 

} 

CHARACTERISTIC-TWO ::= TYPE-IDENTIFIER 

The object identifier id-characteristic-two-basis represents the root of a tree containing the 
object identifiers for each type of basis for the characteristic-two finite fields. It has the following value: 
id-characteristic-two-basis OBJECT IDENTIFIER ::= { 

characteristic-two-field basisType(3) } 

The object identifiers onBasis, tpBasis andppBasis name the three kinds of basis for 
characteristic-two finite fields defined in this Standard. They have the following values: 

onBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 } 

tpBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 2 } 

ppBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 3 } 

Notes: 

1 . For the finite field F p , where p is an odd prime, the parameter p is specified by a value of 
type Prime-p. 

2. For the finite field f 2 ", the components of Characteristic-two are: 

• m : degree of the field. 

• basis : the type of representation used fONB, TPB, or PPB). 

3. For a trinomial basis representation of F 2 m, Trinomial specifies the integer k 
where x m + x + 1 is the reduction polynomial. 

4. For a pentanomial basis representation of h\m, the components kl, k2, and k3 of 
Pentanomial specify the integers k\, k 2 , and k 2 , respectively, where 

x m + x kl + x k 2 + x ki +1 is the reduction polynomial. 

6.2. Syntax for Finite Field Elements and Elliptic Curve Points 

A finite field element shall be represented by a value of type FieldElement: 

FieldElement ::= OCTET STRING 

The value of FieldElement shall be the octet string representation of a field element following the 
conversion routine in Section 4.3.1. 

An elliptic curve point shall be represented by a value of type ECPoint: 

ECPoint OCTET STRING 

The value of ECPoint shall be the octet string representation of an elliptic curve point following the 
conversion routine in Section 4.4.2.a. 

6.3. Syntax for Elliptic Curve Parameters 

This section provides syntax for representing elliptic curve parameters. 

Elliptic curve parameters shall be represented by a value of type ECParameters: 

ECParameters ::= SEQUENCE { 

version INTEGER { ecpVerl(l) } (ecpVerl), 

fieldID FieldID { {FieldTypes} }, 

curve Curve, 

base ECPoint, 

order INTEGER, 

cofactor INTEGER, 

... } 
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Curve ::= SEQUENCE { 
a FieldElement , 
b FieldElement, 
seed BIT STRING OPTIONAL } 

The components of type ECParameters have the following meanings: 

• version specifies the version number of the elliptic curve parameters. It shall have the 
value 1 for this version of the Standard. The notation above creates an INTEGER named 
ecpVerl and gives it a value of one. It is used to constrain version to a single value. 

• f ieldID identifies the finite field over which the elliptic curve is defined. Finite fields 
are represented by values of the parameterized type FieldID, constrained to the values 
of the objects defined in the information object set FieldTypes. 

• curve specifies the coefficients a and b of the elliptic curve E. Each coefficient shall be 
represented as a value of type FieldElement, an OCTET STRING . seed is an 
optional parameter used to derive the coefficients of a randomly generated elliptic curve. 

• base specifies the base point P on the elliptic curve. The base point shall be represented 
as a value of type ECPoint, an OCTET STRING . 

• order specifies the order n of the base point. 

• cofactor is the integer /z = #E(F q )/n. 

6.4. Syntax for Public Keys 

This section provides the syntax for the public keys defined in this Standard. 

A public key may be represented in a variety of ways using ASN . 1 syntax. When a public key is 
represented as the X . 50 9 type Sub jectPublicKeylnf o, then the public key shall have the following 
syntax: 

Sub jectPublicKeylnf o ::= SEQUENCE { 

algorithm Algorithmldentif ier { { ECPKAlgorithms } } , 

sub jectPublicKey BIT STRING 

} 

Algorithmldentif ier { ALGORITHM: IOSet } ::= SEQUENCE { 

algorithm ALGORITHM. & id ( { IOSet } ) , 

parameters ALGORITHM. &Type ({ IOSet }{ @algorithm} ) OPTIONAL 

} 

ECPKAlgorithms ALGORITHM ::= { 
ecPublicKeyAlgorithm, 


} 

ecPublicKeyAlgorithm ALGORITHM ::= { ECParameters IDENTIFIED BY id- 
ecPublicKey } 

ALGORITHM ::= TYPE-IDENTIFIER 

id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 } 
id-publicKeyType OBJECT IDENTIFIER ::= { ansi-X9-62 keyType (2) } 
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Note: 

1. The object identifier id-publicKeyType represents the tree containing the object 

identifiers for each public key. It has the following value: 

id-public-key-type OBJECT IDENTIFIER ::= {ansi-X9.62 2} 

2 The elliptic curve public key (an ECPoint which is an OCTET STRING) is mapped to 

a sub jectPublicKey (a BIT STRING) as follows: the most significant bit of the 
OCTET STRING becomes the most significant bit of the BIT STRING, etc.; the least 
significant bit of the OCTET STRING becomes the least significant bit of the BIT 

STRING. 
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Appendix A An Overview of Elliptic Curve Systems 

[Informative] 

Many public-key cryptographic systems are based on exponentiation operations in large finite mathematical 
groups. The cryptographic strength of these systems is derived from the believed computational 
intractability of computing logarithms in these groups. The most common groups are the multiplicative 
groups of Z p (the integers modulo a prime p) and Fy» (characteristic 2 finite fields). The primary advantages 
of these groups are their rich theory, easily understood structure, and straightforward implementation. 
However, they are not the only groups that have the requisite properties. In particular, the mathematical 
structures known as elliptic curves have the requisite mathematical properties, a rich theory, and are 
especially amenable to efficient implementation in hardware or software. 

The algebraic system defined on the points of an elliptic curve provides an alternate means to implement the 
ElGamal and ElGamal-like public-key encryption and signature protocols. These protocols are described in 
the literature in the algebraic system Z p , the integers modulo p, where p is a prime. For example, the Digital 
Signature Algorithm (DSA) defined in X9. 30-1-1994 is an ElGamal-like signature scheme defined over Z ;l . 
The same protocol for signing can be defined over the points on an elliptic curve. 

Elliptic curve systems as applied to ElGamal protocols were first proposed in 1985 independently by Neil 
Koblitz from the University of Washington, and Victor Miller, who was then at IBM, Yorktown Heights. 
The security of the cryptosystems using elliptic curves hinges on the intractability of the discrete logarithm 
problem in the algebraic system. Unlike the case of the discrete logarithm problem in finite fields, or the 
problem of factoring integers, there is no subexponential-time algorithm known for the elliptic curve 
discrete logarithm problem. The best algorithm known to date takes fully exponential time. 

The primary advantage of elliptic curve systems is their apparent high cryptographic strength relative to the 
key size. The attractiveness of the elliptic curve cryptosystems may increase relative to other public-key 
cryptosystems, as computing power improvements force an increase in the key size. The significantly 
shorter key sizes may result in shorter certificates and system parameters. These potential advantages 
manifest themselves in many ways, including: 
t storage efficiencies, 

t bandwidth savings, and 

t computational efficiencies. 

The computational efficiencies may lead in turn to: 
t higher speeds, 

t lower power consumption, and 

t code size reductions. 

The computational efficiencies available with the use of these implementations, combined with the 
efficiencies of elliptic curves in general, are particularly beneficial in applications where bandwidth, 
processing capacity, power availability or storage are constrained. Such applications include wireless 
communications, handheld computing, broadcast communications and smart card applications. 

Associated with any finite field F q there are on the order of q different elliptic curves that can be formed and 
used for the cryptosystems. Thus, for a fixed finite field with q elements and with a large value of q , there 
are many choices for the elliptic curve group. Since each elliptic curve operation requires a number of more 
basic operations in the underlying finite field F q , a finite field may be selected with a very efficient software 
or hardware implementation, and there remain an enormous number of choices for the elliptic curve. 

This Standard describes the implementation of a signature algorithm which uses elliptic curves over a finite 
field F q where q is either a prime number or equal to 2'" for some positive integer m. 
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Appendix B The Elliptic Curve Analog of the DSA (ECDSA) 

[Informative] 

The elliptic curve algorithm (ECDSA) described in this Standard is the elliptic curve analog of a discrete 
logarithm algorithm that is usually described in the setting of F p (also denoted Z p ), the multiplicative 
group of the integers modulo a prime. The following tables show the correspondence between the elements 
and operations of the group F p and the elliptic curve group E(F q ). 


Table B-1 : DSA and ECDSA Group Information 

Group 

F * 
r P 

E(F q ) 

Group elements 

The set of integers {1,2, ..., 

P ' 1 ) 

Points (x,y) which satisfy the 
defining equation of the 
elliptic curve, plus the point at 
infinity G. 

Group operation 

Multiplication modulo p 

Addition of points 

Notation 

Elements: g, h 

Multiplication: g x h 
Exponentiation: g a 

Elements: P, Q 

Addition: P + Q 

Multiple of a point (also called 
scalar multiplication): aP 

Discrete logarithm 
problem 

Given g e F p * and h = g a 
mod p, find the integer a. 

Given P e E{F q ) and Q = aP , 
find the integer a. 


Table B-2: DSA and ECDSA 

Notation 

DSA 

ECDSA 

Notation 

Notation 

q 

n 

g 

p 

X 

d 

y 

Q 
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Table B-3: DSA and ECDSA Setup 

DSA Setup 

ECDSA Setup 

1 . p and q are primes, q divides p - 1 . 

2. g is an element of order q in F p *. 

3. The group used is: 

,0 1 2 q- 1, 

tg ,g , g , g q }. 

1 . £ is an elliptic curve defined over the field F q . 

2. P is a point of prime order n in E(F q ). 

3. The group used is: 

{ 0,P, 2 P, (n - 1)P}. 


Table B-4: DSA and ECDSA Key Generation 

DSA Key Generation 

ECDSA Key Generation 

1 . Select a random integer x in the interval 

[1,9-1]. 

2. Compute y = g x mod p. 

3. The private key is x. 

4. The public key is y. 

1. Select a statistically unique and 
unpredictable integer d in the interval 
[1, n - 1]. 

2. Compute Q = dP. 

3. The private key is d. 

4. The public key is Q. 


Table B-5: DSA and ECDSA Signature Generation 

DSA Signature Generation 

ECDSA Signature 
Generation 

1 . Select a random integer k in the interval 

[1,9-1]. 

2. Compute g k mod p. 

3. Compute r = (g k mod p) mod q. 

4. Compute e = H(M). 

5. Compute s = k~\e + xr) mod q. 

6. The signature for M is (r, s). 

1 . Select a statistically unique and 
unpredictable integer k in the interval 
[1, n - 1 ], 

2. Compute kP = (xi, yi). 

3. Compute r = X\ mod n. 

4. Compute e = H(M). 

5. Compute s = k A {e +dr ) mod n. 

6. The signature for M is ( r , s). 


Table B-6: DSA and ECDSA Signature Verification 

DSA Signature Verification 

ECDSA Signature Verification 

1. Compute e = H(M). 

2. Compute T 1 mod q. 

3. Compute u\ = es l mod q. 

4. Compute u 2 = rs '* mod q. 

5. Compute v ’ = g“ l y“ 2 mod p. 

6. Compute v = v ’ mod q. 

7. Accept the signature if v = r. 

1 . Compute e = H(M). 

2. Compute s' 1 mod n. 

3. Compute Mi = es" 1 mod n. 

4. Compute n 2 = rs A mod n. 

5. Compute u\ P + u 2 Q = (xi, yi). 

6. Compute v = xi mod n. 

7. Accept the signature if v = r. 
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Appendix C Mathematical Background 

[Informative] 

C.l. The Finite Field F p 

Let p be a prime number. The finite field F p is comprised of the set of integers 

{0,1,2,..., p — 1} 

with the following arithmetic operations: 

t Addition : If a, b e F p , then a + b = r, where r is the remainder when the integer a + b is divided 

by p, r e [0, p- 1], This is known as addition modulo p (mod p). 
t Multiplication: If a, b e F p , then ab = s, where s is the remainder when the integer ab is divided by 

p, s e [0, p- 1]. This is known as multiplication modulo p (mod p). 

Let F p denote all the non-zero elements in F p . In F p , there exists at least one element g such that any non- 
zero element of F p can be expressed as a power of g. Such an element g is called a generator (or primitive 
element) of F p . That is 

Fp = {g' '■ 0 < i < p - 2}. 

The multiplicative inverse of a = g e F* , where 0 < i < p — 2, is: 

-1 p-l-i 

a = g‘ . 

Example 1: The finite field F 2 

F 2 = {0, 1 }. The addition and multiplication tables for F 2 are: 


+ 

0 1 


• 

0 1 

0 

0 1 


T 

0 0 

1 

1 0 


1 

0 1 


Example 2: The finite field F 2 3 

F 2 3 = {0,1,2,. ..,22}. Examples of the arithmetic operations in F 2i are: 

12 + 20 = 32 mod 23 = 9, since the remainder is 9 when 32 is divided by 23 
8 • 9 = 72 mod 23 = 3, since the remainder is 3 when 72 is divided by 23. 


The element 5 is a generator of F 2 3 . 

The powers of 5 modulo 23 

are: 

5° = 1 

5 1 = 5 

5 2 = 2 

5 3 = 10 

"Ti- 

ll 

•'t 

OO 

II 

sO 

5 7 = 17 

5 8 = 16 

5 9 = 11 

5 10 = 9 

OO 

II 

(N 

5 13 =21 

5 14 = 13 

5 15 = 19 

5 16 = 3 

so 

II 

OO 

5 19 =7 

5 20 = 12 

5 21 = 14 

5 22 = 1. 


5 s = 20 
5 11 = 22 
5 17 = 15 


C.2. The Finite Field F 2 m 

There are many ways to construct a finite field with 2'" elements. The field F 2 m can be viewed as a vector 
space of dimension m over F 2 . That is, there exists in elements ao.CCi, . . . ,a„,_i in F 2 m such that each element 
a e F 2 m can be uniquely written in the form: 

a = a Q a 0 + aiOCi + where a t e {0,1 }. 

Such a set {oto, OCi, ..., Ot,„-i} of elements is called a basis of F 2 m over F 2 . Given such a basis, we can 
represent a field element a as the binary vector ( a 0 , «i, ..., a m . 1). Addition of field elements is performed by 
bitwise XOR-ing the vector representations. 

There are many different bases of F 2 m over F 2 . Some bases lead to more efficient software and/or hardware 
implementations of the arithmetic in F 2 m than other bases. In this section, three kinds of bases are discussed. 
Section C.2.1 introduces polynomial bases which use polynomial addition, multiplication, division and 
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remainder. Section C.2.2 introduces special kinds of polynomial bases called trinomial and pentanomial 
bases. Section C.2.3 introduces normal bases. Section C.2.4 introduces special kinds of normal bases 
called optimal normal bases (ONB). 

C.2.1. Polynomial Bases 

Let/(x)= x m +f m -ix m l + ... + f 2 x 2 + fix+ fi (where/ e F 2 for i = 0, .... m- 1) be an irreducible polynomial of 
degree m over F 2 , i.e., /(x) cannot be factored into two polynomials over F 2 , each of degree less than m. fix) 
is called the reduction polynomial . The finite field F 2 m is comprised of all polynomials over F 2 of degree 
less than m: 

F 2 m — [a m _\x + a m . 2 x ~ + ... -v a\x -v ao'. a j a {0,1}}. 

The field element + a m _ 2 x m ~ 2 + ... + ape + a a ) is usually denoted by the binary string (a m _ l ...a l ao) of 

length m, so that 

F 2 m = aiao)'. a, e {0,1}}. 

Thus the elements of F 2 m can be represented by the set of all binary strings of length in. The multiplicative 
identity element (1) is represented by the bit string (00... 01), while the zero element is represented by the 
bit string of all 0’s. 

Field elements are added and multiplied as follows: 

C.2.1. a. Field addition 

(a m _ l ...a l a 0 ) + (b mA ...bfi Q ) = (c m _i...cic 0 ) 

where c,- = a,- © /?,. That is, field addition is performed componentwise. 

C.2.1. b. Field multiplication 

(a mA ...aia 0 ) •(b m _ l ...b l b 0 ) = (r m _ 1 ...r 1 r 0 ), 

where the polynomial (r m _ pe mA +. . .+ rpe+ r Q ) is the remainder when the polynomial 
(a m _ pe mi +. . . + apx + a 0 ) • (b m _pe mA +. . . + bpe + b 0 ) 
is divided by fix) over F 2 . 

This method of representing F 2 m is called a polynomial basis representation , and { 1, x, x 2 , ..., x ml } is called 
a polynomial basis of F 2 m over F 2 . 

Note that F 2 m contains exactly 2'" elements. Let F 2 m denote the set of all non-zero elements in F 2 m. There 
exists at least one element g in F 2 m such that any non-zero element of F 2 m can be expressed as a power of g. 
Such an element g is called a generator (or primitive element) of F 2 m. That is 

f\ \< n= {g‘. 0<i< 2 m - 2}. 

The multiplicative inverse of a = g' e F 2 m , where 0 < i < 2"‘ - 2, is: 

-1 2 m -l-i 

a = g 

Example 3: The finite field F-pe using a polynomial basis representation 

Take/(x) = x 4 + x + 1 over F 2 , it can be verified that/(x) is irreducible over F 2 . Then the elements of F 2 4 
are: 

(0000) (1000) (0100) (1100) (0010) (1010) (0110) (1110) 

(0001) (1001) (0101) (1101) (0011) (1011) (0111) (1111). 

As examples of field arithmetic, we have: 

(1101) + (1001) = (0100), and 
(1101) *(1001) = (1111) since 

(x 3 + x 2 + 1 )(x 3 + 1 ) = x 6 + x 5 + x 2 + 1 

= (x 4 + x +l)(x 2 + x) + (x 3 + x 2 + x +1) 

= x 3 + x 2 + x + 1 mod fix) . 

i.e., x + x + x +1 is the remainder when (x + x +1) • (x +1) is divided by fix). 

The multiplicative identity is (0001). 

* 

F 2 4 can be generated by one element, a = x. The powers of a are: 
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a 0 = 

(0001) 

a 1 = 

(0010) 

a 2 = (0100) 

a 3 = 

(1000) 

a 4 = 

(0011) 

a 5 = 

(0110) 

a 6 = (1100) 

a 7 = 

(1011) 

a 8 = 

(0101) 

a 9 = 

(1010) 

a 10 = (0111) 

a 11 = 

= (1110) 

a 12 = 

= (HU) 

a 13 = 

= (1101) 

a 14 = (1001). 




C.2.2. Trinomial and Pentanomial Bases 

A trinomial basis (TPB) and a pentanomial basis (PPB) are special types of polynomial bases. A trinomial 
over F 2 is a polynomial of the form x m + x k + 1 , where 1 < k < m - 1 . A pentanomial over F 2 is a polynomial 
of the form X m + X k 3 + X kl + X k ' + 1, where 1 <k x < k 2 < k 3 <m- 1. 

A trinomial basis representation of F 2 m is a polynomial basis representation determined by an irreducible 
trinomial fix) = x m + x + 1 of degree m over F 2 . Such trinomials only exist for certain values of m. Example 
3 above is an example of a trinomial basis representation of the finite field F 2 4. 

A pentanomial basis representation of F 2 m is a polynomial basis representation determined by an irreducible 
pentanomial fix) = X m + X kl + X kl + X kl + 1, of degree m over F 2 . Such pentanomials exist for all 
values of m > 4. 

C.2.3. Normal Bases 

A normal basis of F 2 m over F 2 is a basis of the form: 

{p. p\ p :2 , ..., p 2 '"' 1 }, 

where p e F 2 m. 

m — 1 

Such a basis always exists. Given any element a e F 2 m, we can write « = ^ a, p 2 , where Cfi e {0,1}. 

/= o 

This field element a is denoted by the binary string (a 0 aia 2 . . . a,,,. i) of length m, so that 
Fyn = K a o fl i- ■ • a m _ i) : a, e {0,1 } }. 

Note that, by convention, the ordering of bits is different from that of a polynomial basis representation 
(Section C.2.1). 

The multiplicative identity element (1) is represented by the bit string of all 1 ’ s (11. . .11), while the zero 
element is represented by the bit string of all 0’s. 

Since squaring is a linear operator in F 2 m, we have: 

m — 1 m— 1 m— 1 

a 2 = (p 2 V = Yj Ui P 2 + = Y^ ai ~ l = 

1=0 i = 0 i = 0 

with indices reduced modulo m. Hence a normal basis representation of F 2 m is advantageous because 
squaring a field element can then be accomplished by a simple rotation of the vector representation, an 
operation that is easily implemented in hardware. 

C.2.4. Optimal Normal Bases 

In Example 3, the field f 2 4 was described using polynomial multiplication, division and remainders. An 
optimal normal basis representation, as defined in Section 4.1.4, may also be used to construct the field F 2 a. 
Note that a Type I ONB does indeed exist for TV*. 

Example 4: The finite field F 2 * using an optimal normal basis representation 

As in Example 3, the elements of F 2 4 are the binary 4-tuples: 

(0000) (0001) (0010) (0011) (0100) (0101) (0110) (0111) 

(1000) (1001) (1010) (1011) (1100) (1101) (1110) (1111). 
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Field elements are added and multiplied as follows: 

C.2.4.a. Field addition: 


(cioa^ai) + (bobibjbi) = (c 0 cic 2 c 3 ) 
where c,- = «,■ © b 


In other words, field addition is performed by simply XORing the vector representation. 

C.2.4.b. Field multiplication: 

The setup for multiplication is done as follows. See Section 4.1.4 for a description of the steps that are 
performed. 

1 . fix) = x 4 + X 3 + X 2 + X + 1 . 


2 . Since rmod/(x) 
x mod/(x) 
x 4 mod/O) 

x 8 mod f{x) 


= x, 

2 

= X , 

3 , 2 , 

= X + .V + X +1, 


3 


= X , 


the matrix A is computed as: 

~0 0 1 o' 
0 10 0 
A = 1 1 1 1 
10 0 0 


3. The inverse of A is: 


0 0 0 1 
0 10 0 

A - 1 - 

10 0 0 
1111 

4. The matrix T is computed as: 

"0 10 0 " 

0 0 0 1 
T = 

1111 
0 0 10 


5. The Xjj terms which are 1 are: A, 02 , X l2 , X l3 , X 2Q , X 2I , X 3[ and X 33 . 


For this particular example, multiplication is defined to be: 
(cioa^ai) • (b Q b { b 2 b 2 ) = (c 0 cic 2 c 3 ), where 
c 0 = flo ^2 © a\(b 2 © b 3 ) © a 2 (b 0 © b\) © a 2 (b\ © b 2 ) 

C\ = a { b 2 © a 2 (b 2 © b 0 ) © a 2 (b\ © b 2 ) © a 0 (b 2 © b Q ) 
c 2 = a 2 b Q © a 2 (b 0 © b x ) © a 0 (b 2 © b 2 ) © ai(b 2 © b x ) 
c 3 = a 2 b\ © a 0 (^i © b 2 ) © a\(b 2 © b 0 ) © a 2 (b 0 © b 2 ). 


With these definitions of addition and multiplication, the 16 binary 4-tuples form a field. 

Notes: 

1. When an ONB is used, the multiplicative identity i n F 2 4 is (1111). (In Example 3, when a 

polynomial basis was used, it was (0001).) 

2. Referring to the equations in step 5 above, note that: 

(ciga ia 2 a 2 ) • (a 0 a ia 2 a 2 ) = (aoaia 2 a 2 y = ( a 2 cioa\a 2 ), 
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so the square of a field element is simply a right cyclic shift of its vector representation. 

3. The formula for c t in the multiplication can be obtained by adding a 1 to each subscript in the 
formula for c 0 (where the subscripts are reduced modulo 4). The formula for c 2 can be obtained by 
adding 2 to each subscript in the formula for c 0 and reducing the subscripts modulo 4. The formula 
for c 3 can likewise be obtained. 

4. From the preceding remark we see that a circuit to compute Co from (aoa\a 2 a 2 ) and (bobib 2 b 2 ) can 
be used to compute Ci by applying {a\a 2 a 2 af) and (bib 2 b 2 bo) to the circuit. Similarly, c 2 and c 3 can 
be computed by shifting the input vectors to the left. 

As an example of how to compute in this representation of F 2 4, we have 

( 1001 ). ( 1 101 ) = (c 0 cic 2 c 3 ) 

where: 

c 0 = ( 1)(0) ® (0)(0 0 1)0 (0)(1 ©1)0 (1)(1 © 1) = 0 
c, = (0)(1) © (0)(1 © 1) © (1)(1 © 0) © (1)(0 © 1) = 0 
c 2 = (0)(1) © (1)(1 © 1) © (1)(0 © 1) © (0)(1 © 1) = 1 
c 3 = ( 1 )( 1 ) © (1)(1 ©0)©(0)(1 © 1) © (0)(1 © 0) = 0. 

That is, 

( 1001 ) - ( 1101 ) = ( 0010 ). 

Also, 


(1010) 10 

= (1010) 2 - (1010) 8 


= (0101) .(0101) 


= (1010), 

and 


(1101) 9 

00 

o 

o 

II 


= (1101) .(1011) 


= (0001). 


In this representation, F 2 4 can be generated by the powers of a = ( 1 100): 


a 0 = (1111) 

a 1 = (1100) 

a 2 = (0110) a 3 

= (0100) 

a 4 = (0011) 

a 5 = (1010) 

a 6 = (0010) a 7 

= (0111) 

a 8 = (1001) 

a 9 = (1000) 

a 10 = (0101) a 11 

= (1110) 

a 12 - (0001) 

a 13 - (1101) 

a 14 = (1011). 



This method of representing F 2 4 is called an optimal normal basis representation . 

C.3. Elliptic Curves over F p 

Let p > 3 be a prime number. Let a, b e F p be such that 4o 3 + 21b 2 =£ 0 in F p . An elliptic curve E(F p ) over 
F p defined by the parameters a and b is the set of solutions (x, y), x, y e F p , to the equation: y 2 = x 3 + ax + 
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h. together with an extra point G, the point at infinity. The number of points in E(F p ) is denoted by #E(F p ). 
The Hasse Theorem tells us that 

P + 1 - 2 y[p < #E(F p ) < p + 1 + 2 Jp. 

The set of points E(F p ) forms a group with the following addition rules: 

(i) 6 + G = G. 

(ii) (x, y) + G = G + ( x , y) = (x, y) for all (x, y) e E(F p ). 

(iii) (x, y) + (x,-y) = G for all (x, y) e E(F p ) (i.e., the negative of the point (x, y) is -(x, y) = ( x,-y )). 

(iv) (Rule for adding two distinct points that are not inverses of each other) 


(v) 


Let: ( X\,y \ ) e E(F p ) and (x%yf) e E(F p ) be two points such that xi ^ x 2 . 
Then (x h y,) + (x % y 2 ) = {x 3 ,y 3 ), where: 


x 3 = X 2 - X\ - x 2 , y 3 = X (xi - x 3 ) - >’ | and X = 


y 3 ~ Zi 

x 2 -.^ 


(Rule for doubling a point) 


Let (pci, >’i) e E(F p ) be a point with Vi =£ 0. 

Then 2(xi, y{) = (x 3 , >’ 3 ), where: 

2 , , 3xf + a 

x 3 = X - 2xi, y 3 = X (xi - x 3 ) -y i, and X = . 

2y x 

The group E(F p ) is abelian, which means that P\ + P 2 = P 2 + P i for all points P \ and P 2 in E(F p ). The curve 
is said to be supersingular if #E{F p ) = p + 1; otherwise it is non-supersingular. Only non-supersingular 
curves shall be in compliance with this standard (see Appendix D). 


Example 5: An elliptic curve over F 2 3 

Let y 2 = x 3 + x + 1 be an equation over F 22 . Here a = 1 and b = 1. Then the solutions over F 23 to the 
equation of the elliptic curve are: 


(0,1) 

(0,22) 

(1,7) 

(1,16) 

(3,10) 

(3,13) 

(4,0) 

(5,4) 

(5,19) 

(6,4) 

(6,19) 

(7,11) 

(7,12) 

(9,7) 

(9,16) 

(11,3) 

(11,20) 

(12,4) 

(12,19) 

(13,7) 

(13,16) 

(17,3) 

(17,20) 

(18,3) 

(18,20) 

(19,5) 

(19,18) 


The solutions were obtained by trial and error. The group E(F 23 ) has 28 points (including the point at 
infinity 6 ). The following are examples of the group operation. 

1. Let P x = (3,10), P 2 = (9,7), P { + P 2 = (x 3 , y 3 ). Compute 


2 . 


y 2 - v, = 7-10 
x 2 ~x I 9-3 


-3 - 

— = — = 11 e 

6 2 


x 3 = A 2 - X! - x 2 = 1 1 2 - 3 - 9 = 6 - 3 - 9 = -6 = 17, 

y 3 = X(xi-x 3 )-y l = 11(3- 17)- 10= 11(9) - 10 = 89 = 20. 

Therefore Pi + P 2 = (17, 20). 

Let P\ = (3, 10), 2/ J = (x 3 , v 3 ). Compute 


2x\ + ci _ 3f 3 2 ) + 1 5 1 

2y x 20 ~ 20 ~ 4 ~ 

x 3 =X 2 - 2xi = 6 2 - 6 = 30 = 7, 
y 3 = X{x\ - x 3 ) - yi = 6(3 - 7) - 10 = -24 - 10 = -11 = 12. 
Therefore 2P X = (7, 12). 
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C.4. Elliptic Curves over F 2 m 

A non-supersingular elliptic curve E(F 2 m ) over F 2 m defined by the parameters a, b e F 2 m, 0, is the set of 
solutions ( x , y), x e F 2 m, y e F 2 m, to the equation y 2 + xy = x 3 + ax 2 + b together with an extra point G, the 
point at infinity. The number of points in E( F 2 m) is denoted by #E(F 2 m). The Hasse Theorem tells us that 

q + 1 - 2 *Jq < #E(F 2 m ) < q + 1 + 2 yj~q , 

where q = 2 m . Furthermore, #E(F 2 m) is even. 


The set of points E(F 2 m) forms a group with the following addition rules: 
(i) G + G = G. 


(ii) 

(iii) 

(iv) 


(v) 


(x, y) + G = G + (x, y) = (x, y) for all (x, y) e E(F 2 m). 

(x, y) + (x, x + y) = 0 for all (x, y) e E(F 2 m ) (i.e., the negative of the point (x, y) is — ( X , y) = (x, x 

+ y)). 

(Rule for adding two distinct points that are not inverses of each other) 

Let (xi, yi) e E(F 2 m) and (x 2 , y 2 ) e E(F 2 m) be two points such thatx'i ^ x 2 . Then 
(Xu yi) + (x 2 , y>2 ) = fe y 3 ). where: 


x 3 = A, 2 + X + Xi + x 2 + a, y 3 = A,(xi + x 3 ) + x 3 + yj, and X = 


Zi + 

X t + X 2 


(Rule for doubling a point) 

Let (xi, yi) e E(F 2 m ) be a point with X\ ^ 0. Then 2(x 3 , y 3 ) = (x 3 , y 3 ), where 

2 2 y i 

x 3 — A, + A . + a, y 3 = x\ -t- (A + 1) x 3 , and A = x\ + . 

Xl 


The group E(F 2 m ) is abelian, which means that L + P 2 = P 2 + Pi for all points P i and P 2 in E(F 2 m). 

We now give two examples of elliptic curves over F 2 4 . Example 6 uses a trinomial basis representation for 
the field, and Example 7 uses an optimal normal basis representation. 

Example 6: An elliptic curve over F 2 *. A trinomial basis representation is used for the elements 

of F 2 4. 


Consider the field F 2 4 generated by the root a = x of the irreducible polynomial: 
/(x) = X 4 + X + 1 . 

(See Example 3.) The powers of a are: 


a 0 = 

(0001) 

a 1 = 

(0010) 

a 2 = (0100) 

a 3 : 

= (1000) 

a 4 = 

(0011) 

a 5 = 

(0110) 

a 6 = (1100) 

a 7 : 

= (1011) 

a 8 = 

(0101) 

a 9 = 

(1010) 

a 10 = (0111) 

a 11 

= (1110) 

a 12 = 

= (HU) 

a 13 = 

= (1101) 

a 14 = (1001) 

a 15 

= a° = (0001) 


Consider the non-supersingular elliptic curve over F 2 4 with defining equation: 
y + xy = x + a x + 1 . 

Here, a = a 4 and b = 1. The notation for this equation can be expressed as follows, since the multiplicative 
identity is (0001): 

(0001) y 2 + (0001) xy = (0001) x 3 + (0011) x 2 + (0001). 

Then the solutions over F 2 4 to the equation of the elliptic curve are: 


- 34 - 



© 1997 America Bankers Association 


X9.62-19 


(0, 1) (l, a 6 ) (1, a 13 ) (a 3 , a 8 ) (a 3 , a 13 ) (a 5 , a 3 ) (a 5 , a 11 ) 

(a 6 , a 8 ) (a 6 , a 14 ) (a 9 , a 10 ) (a 9 , a 13 ) (a 10 , a 1 ) (a 10 , a 8 ) (a 12 , 0) (a 12 , a 12 ). 

The group E(Fa ) has 16 points (including the point at infinity 6 ). The following are examples of the group 
operation. 

1. Let Pi = (xi, >’i) = (a 6 , a 8 ), P 2 = (x% >’ 2 ) = (oc 3 , a 13 ), and P, + P 2 = (x 3 , y 3 ). Then: 

y\ + yi a 8 + a 13 

X — — r 3 = cc, 

x\ + X 2 oc + oc 

x 3 = X 2 + X + xi+ x 2 + a = a 2 + a + a 6 + a 3 + a 4 = 1, 
y 3 = A.(x'i + x 3 ) + x 3 + Vi = cc(cc + 1) +1 + oc = cc . 

2. If 2Pi = (x 3 , v 3 ), then: 

y\ a 8 

X = xi + — = a + — t = a , 

xi a 

x 3 = A,+A, + cz = cc+cc+cc == cc , 

y 3 = xi 2 + (X + l)x 3 = a 12 + (a 3 + l)a 10 = a 8 . 

Example 7: An elliptic curve over F -a. An optimal normal basis representation is used for the 

elements of Fp. 

Consider the field P 2 4 given by the optimal normal basis representation in Example 4. That is, the elements 
of F 2 4 are the set of all binary 4-tuples with multiplication given by the formulae in Section 4.1.4.b. Recall 
that a = (1100) is a generator for the non-zero elements, and (1111) is the multiplicative identity. The 


powers of a are: 
ot° = (1111) 

a 1 = 

(1100) 

a 2 = (0110) 

a 3 = (0100) 

a 4 = (0011) 

a 5 = 

(1010) 

a 6 = (0010) 

a 7 = (0111) 

a 8 = (1001) 

a 9 = 

(1000) 

a 10 = (0101) 

a 11 = (1110) 

a 12 = (0001) 

a 13 = 

= (1101) 

a 14 = (1011) 

a 15 = a° = (1111) 


Consider the non-supersingular curve over Fa defined by the equation 
E-.y 1 + xy = x 3 + a 3 . 

Here, a = 0 and b = a 3 . The notation for this equation can be expressed as follows since the multiplicative 
identity is (1111): 

(1111)/ + (1111) xy = (1111) x 3 + (0100). 

The solutions over P 2 4 to the elliptic curve equation are: 


(0, 

a 9 ) 

(a, 0) 

(a, a) 

(oc 3 , 

a 5 ) 

(oc 3 , 

a 11 ) 

(oc 4 . 

oc 3 ) 

(a 4 , a 7 ) 

(a 5 . 

a 3 ) 

(oc 5 , a 11 ) 

(oc 6 , 0) 

(oc 6 . 

a 6 ) 

(oc s , 

oc 3 ) 

(oc 8 . 

oc 13 ) 


(a 11 

, 0) 

(a 11 , a 11 ) 

(a 12 , a 8 ) 

(a 12 

, a 9 ) 

(a 13 

, a 2 ) 

(oc 13 

, a 14 )- 



Since there are 19 solutions to the equation in P 2 4, the group E(Fa) has 19 + 1 = 20 elements (including the 

point at infinity). This group turns out to be a cyclic group of order 20. If we take G = (a 3 , a 5 ) and use the 
addition formulae, we find that: 
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1 G = (a 3 , a 5 ) 

2 G = (a 4 , a 3 ) 

3 G = (a 13 , a 2 ) 

4 G = (a, 0) 

5 G = (a 12 . 

, a 8 ) 

6 G = (a 8 , a 3 ) 

7 G = (a 11 , 0) 

8 G = (a 5 , a 11 ) 

9 G = (a 6 , 0) 

10 G = (0, 

a 9 ) 

11 G = (a 6 , a 6 ) 

12 G = (a 5 , a 3 ) 

13 G = (a 11 , a 11 ) 

14 G = (a 8 , a 13 ) 

15 G = (a 12 , a 9 ) 

16 G = (a, a) 

17 G = (a 13 , a 14 ) 

18 G = (a 4 , a 7 ) 

19 G = (a 3 , a 11 ) 

20 G = 0. 
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Appendix D Security Considerations 

[Informative] 

This appendix is provided as initial guidance for implementers of this Standard. This information should be 
expected to change over time. Implementers should review the current state-of-the-art in attacks on elliptic 
curve systems at the time of implementation. 

The best attacks known on the elliptic curve discrete logarithm problem, which is the basis for the security 
of elliptic curve systems, are summarized. Estimates of security levels for elliptic curve parameters of 
various sizes are provided. 

Notation 

E denotes an elliptic curve over the finite field F q . P £ E(F q ) is a point of order n, where n is a prime 
number and n > 2 160 . 

D.l. The Elliptic Curve Discrete Logarithm Problem 

The elliptic curve discrete logarithm problem (ECDLP) is the following: given E, P and Q £ E, determine 
the integer /, 0 < l < n-1, such that Q = IP, provided that such an integer exists. 


The best general algorithm known to date for ECDLP is the Pollard- p method [36] which takes about 

V n n / 2 steps, where each step is an elliptic curve addition. The Pollard- p method can be parallelized 
(see [35]) so that if m processors are used, then the expected number of steps by each processor before a 
single discrete logarithm is obtained is ( n n t 2 ) / m. 

The special classes of elliptic curves, called supersingular curves, have been prohibited in this Standard by 
the requirement of the MOV condition (see Section F.1.1). These curves have been prohibited because 
there is a method for efficiently reducing the discrete logarithm problem in these curves to the discrete 
logarithm problem in a finite field. 


Also, the special class of elliptic curves called F ^-anomalous curves have been prohibited by the 
requirement of the Anomalous condition (see Section F.1.2) because there is an efficient algorithm for 
computing discrete logarithms in E(F q ) where E is an anomalous curve over F q ( i.e. #E(F q ) = q). 


To guard against existing attacks on ECDLP, one should select an elliptic curve E over F q such that: 

1 . The order #E(F q ) is divisible by a large prime n > 2 160 ; 

2. The MOV condition (Section F.1.1) holds; and 

3. The Anomalous condition (Section F.1.2) holds. 

Furthermore, to guard against possible future attacks against special classes of non-supersingular curves, it 
is prudent to select an elliptic curve at random. Section F.3.3 describes a method for selecting an elliptic 
curve verifiably at random. 


D.2. Software Attacks 

Assume that a 1 MIPS (Million Instructions Per Second) machine can perform 4xl0 4 elliptic curve 
additions per second. (This estimate is indeed high — an ASIC (Application Specific Integrated Circuit) 
built for performing elliptic curve operations over the field F 2 155 has a 40 MHz clock-rate and can perform 

roughly 40,000 elliptic additions per second.) Then, the number of elliptic curve additions that can be 
performed by a 1 MIPS machine in one year is 

(4 xlO 4 )- (60x60x24x365) ~ 2 40 . 
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Table D-l shows the computing power required to compute a single discrete logarithm for various values of 
n. As an example, if 10,000 computers each rated at 1,000 MIPS are available, and /? ~ 2 1 60 , then an 
elliptic curve discrete logarithm can be computed in 96,000 years. 

Odlyzko [34] has estimated that if 0.1% of the world’s computing power were available for one year to work 
on a collaborative effort to break some challenge cipher, then the computing power available would be 10 8 
MIPS years in 2004 and 10 10 to 10 u MIPS years in 2014. 


Field size (in 
bits) 

Size of n 
(in bits) 

V K n / 2 

MIPS years 

163 

160 

2 80 

9.6 X 10“ 

191 

186 

2 93 

7.9 x 10 15 

239 

234 

2 117 

1.3 x 10 23 

359 

354 

2 177 

1.5 x 10 41 

431 

426 

2 213 

1.0 x 10 52 


Table D-l: Computing power required to compute elliptic curve logarithms with the Pollard - p 

method. 


To put the numbers in Table D-l into some perspective. Table D-2 (due to Odlyzko [34]) shows the 
computing power required to factor integers with 1995 versions of the general number field sieve. 


Size of integer to be factored 
(in bits) 

MIPS years 

512 

3 X 10 4 

768 

2 X 10 8 

1024 

3 x 10 11 

1280 

1 x 10 14 

1536 

3 x 10 16 

2048 

3 x 10 20 


Table D-2: Computing power required to factor integers using the general number field sieve. 

D.3. Hardware Attacks 

A more promising attack (for well-funded attackers) on elliptic curve systems would be to build special- 
purpose hardware for a parallel search. Van Oorschot and Wiener [35] provide a detailed study of such a 

possibility. In their 1994 study, they estimated that if n ~ 10 36 ~ 2 1-0 , then a machine with m = 325,000 
processors that could be built for about $10 million would compute a single discrete logarithm in about 35 
days. 

It must be emphasized that these estimates were made for specific elliptic curve parameters having 
n ~ 10 36 ~ 2 120 . This Standard mandates that the parameter n should satisfy 
n > 2 160 = 10 48 , 

and hence the hardware attacks are infeasible. 

D.4. Key Length Considerations 

It should be noted that for the software and hardware attacks described above, the computation of a single 
elliptic curve discrete logarithm has the effect of revealing a single user’s private key. The same effort must 
be repeated in order to determine another user’s private key. 

In [9], Blaze et al. report on the minimum key lengths required for secure symmetric-key encryption 
schemes (such as DES and IDEA). Their report provides the following conclusion: 
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To provide adequate protection against the most serious threats — well-funded 
commercial enterprises or government intelligence agencies — keys used to protect data 
today should be at least 75 bits long. To protect information adequately for the next 20 
years in the face of expected advances in computing power, keys in newly-deployed 
systems should be at least 90 bits long. 


Extrapolating these conclusions to the case of elliptic curves, we see that n should be at least 150 bits for 
short-term security, and at least 180 bits for medium-term security. This extrapolation is justified by the 
following considerations: 

1 . Exhaustive search through a £-bit symmetric-key cipher takes about the same time as the 
Pollard- p algorithm applied to an elliptic curve having a Ik-bit parameter n. 

2. Both exhaustive search with a symmetric-key cipher and the Pollard - p algorithm can be 
parallelized with a linear speedup. 

3. A basic operation with elliptic curves (addition of two points) is computationally more 
expensive than a basic operation in a symmetric-key cipher (encryption of one block). 

4. In both symmetric-key ciphers and elliptic curve systems, a “break” has the same effect: it 
recovers a single private key. 

D.5. Vaudenay’s Attack 

Vaudenay [40] presented some attacks on the DSA where an adversary can forge one signature if she can 
select the system parameters. One attack relies on the fact that the DSA signature hash function is actually 
SHA-1 mod q, not merely SHA-1. In ECDSA, Vaudenay’s attack is thwarted because n > 2 160 . 

D.6. System Parameter Generation Decisions 

There are several decisions to make during system parameter generation (besides the key size) that affects 
security. These are as follows: 

1 . Whether to use a probabilistic or deterministic primality test . If using a probabilistic test, what 
number of individual tests T to be used. The Standard specifies that when using a probabilistic test, 
T > 50. If T = 50 then the chance that a probable prime output by this test is actually composite is 
less than 2" 100 . This is a very remote possibility. If additional assurance is desired, a larger value 
for T may be specified or a deterministic primality test run. 

2. Whether to use the canonical seeded hash (Section F.3.3) to determine the elliptic curve 
parameters (a and b ) . For the DSA, there is the possibility that a particularly poor choice of 
system parameters could lead to an attack. To address this, the DSA requires the use of a 
canonical seeded hash to generate the system parameters p and q, as this provides an assurance that 
p and q were generated arbitrarily. The analogous attack on the ECDSA does not apply, and there 
are no known poor choices for system parameters that are not already excluded by this Standard. 
The use of a specific elliptic curve may allow performance improvements over the use of an 
arbitrary elliptic curve. For these reasons, this Standard allows both the choice of a particular 
elliptic curve or the generation of an arbitrary curve through the use of a canonical seeded hash 
function. One may desire to use an arbitrary curve when security considerations are so preeminent 
that the possible performance impact is not a factor in the decision. 

3. How large the MOV threshold B (see Section F.l) should be . The MOV threshold B is a positive 
integer B such that taking discrete logarithms over F q B is at least as difficult as taking elliptic curve 
discrete logarithms over F q . For this Standard, B > 20. For example, for an elliptic curve over 

7^2 i9i, this means that all elliptic curves that are able to be mapped into finite fields with an order 
up to around 2 3800 are eliminated from consideration. The value B = 20 i s a conservative choice, 
and is sufficient to ensure resistance against the reduction attack. 

4. What values to use for l max and r„„„ when determining n, the order of the distinguished point P (see 
Section F.3.2) . The value r min is the minimum value that is appropriate for n, the order of the 
distinguished point P in the system parameters. For this Standard, r min > 2 160 . For example, if the 
order of the underlying field is 2 191 , an appropriate value for r mm is ~ 2 185 . When the order of the 
underlying field is larger, a larger r mi „ and therefore a larger n is appropriate. Mitigating the choice 
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is the fact that finding a curve satisfying stricter requirements will take longer. The trial division 
bound l mcLX is the maximum size of all prime factors of the cofactor h. In this Standard, the order of 
an elliptic curve will be a number u such that u = hn, where n is a large prime factor (and the order 
of the distinguished point P) and h is a number whose prime factors are all less than l max . For 
example, if the order of the underlying field is 2 191 and r min is 2 185 , then an appropriate value for 
l max IS 255. 

D.7. Repeated Cryptovariables 

If two users are using the same system parameters and somehow generate identical private key d values, 
then either could impersonate the other. As the private key d is a value between 1 and n - 1 (inclusive) and n 
is required to be greater than 2 160 , a duplicate private key is only expected to happen by chance (due to the 
birthday phenomenon) after about 2 sn key pairs have been generated. As 2 80 is over 1 million million 
million million, this is not expected to happen. However, it is possible that a private key might repeat due 
to a hardware or software error or a poorly-seeded pseudorandom number generator. If this occurred, the 
public key Q for the two users would also repeat. To address the possibility of error, a service that a 
Certificate Authority may choose to provide for users with high security requirements is to monitor public 
keys to ensure that there are no duplicates. If a duplicate public key is detected, then both parties should 
separately be told to revoke their current public key, determine if there has been an error, try to determine 
the cause of the error, decide what corrective action to take (if any), and regenerate new key pairs. 

The possibility of a per-message secret k value repeating during signature generation may also be a concern. 
A k value has the same numeric and security constraints as a private key. If a k value repeats for two 
different messages, then the r value in the signature will also repeat and it is then possible for an adversary 
with access to both signatures to recover the associated private key. As with the private key, this event 
should never occur except by chance. One way to address the possibility of an otherwise undetected 
hardware or software error or a poorly-seeded pseudorandom number generator is for a system intended for 
users with high security requirements to maintain a list of r values previously output by signature generation 
so that it can detect if an r value ever repeats. If a repeated r value is detected, the associated signature 
should not be output and a possible error indicated. The owner of the system should try to determine what 
happened and what corrective action to take, including whether to continue to operate the system. 

D.8. Attacks on the Hash Function 

This standard specifies the use of the Secure Hash Algorithm Revision 1 (SHA-1). If SHA-1 is broken, this 
Standard should not be used as it is currently written. 

D.9. Security Non-Considerations 

There are several choices that may be made in this Standard that do not affect security. 

Other considerations, such as performance or bandwidth, may be used to determine the requirements of an 
implementation. 

1 . The choice of basis representation for the finite field F 2 m is not a security consideration. That is, 
polynomial bases and optimal normal bases are equally secure. In fact, because an appropriate 
matrix multiplication transforms one representation into the other (see Section G.2.3), a valid 
implementation choice to meet a specific output basis requirement is to use one basis internally to 
do the calculations and then transform the results into the other basis by using the proper change- 
of-basis matrix. 

2. The choice of the base point P is not a security consideration as long as it has a large prime order 
as required by this Standard. That is, for a given elliptic curve, there are many equally-secure 
possibilities for the distinguished point P. 

3. The representation of a point in a compressed or uncompressed form is not a security 
consideration. 
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Appendix E Tables of Trinomials, Pentanomials, and Optimal 

Normal Bases 

[Informative] 

E.l. Table of Fields F 2 m which have an ONB 


Table E-l: Values of m, 160 < m < 2000 , for which the field F r - has an ONB over F 2 . 

162* 

293 

429 

585 

741 

873 

1041 

1218 

1359 

1530* 

1746* 

1900* 

172* 

299 

431 

586* 

743 

876* 

1043 

1223 

1370 

1533 

1749 

1901 

173 

303 

438 

593 

746 

879 

1049 

1228* 

1372* 

1539 

1755 

1906* 

174 

306 

441 

606 

749 

882* 

1055 

1229 

1380* 

1541 

1758 

1923 

178* 

309 

442* 

611 

755 

891 

1060* 

1233 

1394 

1548* 

1763 

1925 

179 

316* 

443 

612* 

756* 

893 

1065 

1236* 

1398 

1559 

1766 

1926 

180* 

323 

453 

614 

761 

906* 

1070 

1238 

1401 

1570* 

1769 

1930* 

183 

326 

460* 

615 

765 

911 

1090* 

1251 

1409 

1583 

1773 

1931 

186 

329 

466* 

618 + 

771 

923 

1103 

1258* 

1418 

1593 

1778 

1938 

189 

330 

470 

629 

772* 

930 

1106 

1265 

1421 

1601 

1779 

1948* 

191 

338 

473 

638 

774 

933 

1108* 

1269 

1425 

1618* 

1785 

1953 

194 

346* 

483 

639 

779 

935 

1110 

1271 

1426* 

1620* 

1786* 

1955 

196* 

348* 

490* 

641 

783 

938 

1116* 

1274 

1430 

1626 

1790 

1958 

209 

350 

491 

645 

785 

939 

1118 

1275 

1439 

1636* 

1791 

1959 

210+ 

354 

495 

650 

786* 

940* 

1119 

1276* 

1443 

1649 

1806 

1961 

221 

359 

508* 

651 

791 

946* 

1121 

1278 

1450* 

1653 

1811 

1965 

226* 

371 

509 

652* 

796* 

950 

1122* 

1282* 

1451 

1659 

1818 

1972* 

230 

372* 

515 

653 

803 

953 

1133 

1289 

1452* 

1661 

1821 

1973 

231 

375 

519 

658* 

809 

965 

1134 

1290* 

1454 

1666* 

1829 

1978* 

233 

378 + 

522* 

659 

810 

974 

1146 

1295 

1463 

1668* 

1835 

1983 

239 

386 

530 

660* 

818 

975 

1154 

1300* 

1469 

1673 

1838 

1986* 

243 

388* 

531 

676* 

820* 

986 

1155 

1306* 

1478 

1679 

1845 

1994 

245 

393 

540* 

683 

826* 

989 

1166 

1310 

1481 

1685 

1850 

1996* 

251 

398 

543 

686 

828* 

993 

1169 

1323 

1482* 

1692* 

1854 


254 

410 

545 

690 

831 

998 

1170* 

1329 

1492* 

1703 

1859 


261 

411 

546* 

700* 

833 

1013 

1178 

1331 

1498* 

1706 

1860* 


268* 

413 

554 

708* 

834 

1014 

1185 

1338 

1499 

1730 

1863 


270 

414 

556* 

713 

846 

1018* 

1186* 

1341 

1505 

1732* 

1866 + 


273 

418* 

558 

719 

852* 

1019 

1194 

1346 

1509 

1733 

1876* 


278 

419 

561 

723 

858* 

1026 

1199 

1349 

1511 

1734 

1883 


281 

420* 

562* 

725 

866 

1031 

1211 

1353 

1518 

1740* 

1889 


292* 

426 

575 

726 

870 

1034 

1212* 

1355 

1522* 

1745 

1898 


* indicates the existence of a type I ONB; + indicates the existence of both a type 

I and a type II ONB; otherwise there exists only a type II ONB. 
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E.2. Irreducible Trinomials Over F 2 




Table E-2: 

Irreducible trinomials x 

m +x k 

+ 1 over F 2 . 



For each m, 160 < m < 609, for which an irreducible trinomial of degree m exists, the table 

lists the smallest k for which x"‘ 

, k . 

+ X + . 

is irreducible over F 2 ■ 





m 

k 

m 

k 

m 

k 

m 

k 

m 

k 

m 

k 

161 

18 

236 

5 

308 

15 

383 

90 

458 

203 

527 

47 

162 

27 

238 

73 

310 

93 

385 

6 

460 

19 

529 

42 

166 

37 

239 

36 

313 

79 

386 

83 

462 

73 

532 

1 

167 

6 

241 

70 

314 

15 

388 

159 

463 

93 

534 

161 

169 

34 

242 

95 

316 

63 

390 

9 

465 

31 

537 

94 

170 

11 

244 

111 

318 

45 

391 

28 

468 

27 

538 

195 

172 

1 

247 

82 

319 

36 

393 

7 

470 

9 

540 

9 

174 

13 

249 

35 

321 

31 

394 

135 

471 

1 

543 

16 

175 

6 

250 

103 

322 

67 

396 

25 

473 

200 

545 

122 

177 

8 

252 

15 

324 

51 

399 

26 

474 

191 

550 

193 

178 

31 

253 

46 

327 

34 

401 

152 

476 

9 

551 

135 

180 

3 

255 

52 

329 

50 

402 

171 

478 

121 

553 

39 

182 

81 

257 

12 

330 

99 

404 

65 

479 

104 

556 

153 

183 

56 

258 

71 

332 

89 

406 

141 

481 

138 

558 

73 

185 

24 

260 

15 

333 

2 

407 

71 

484 

105 

559 

34 

186 

11 

263 

93 

337 

55 

409 

87 

486 

81 

561 

71 

191 

9 

265 

42 

340 

45 

412 

147 

487 

94 

564 

163 

193 

15 

266 

47 

342 

125 

414 

13 

489 

83 

566 

153 

194 

87 

268 

25 

343 

75 

415 

102 

490 

219 

567 

28 

196 

3 

270 

53 

345 

22 

417 

107 

492 

7 

569 

77 

198 

9 

271 

58 

346 

63 

418 

199 

494 

17 

570 

67 

199 

34 

273 

23 

348 

103 

420 

7 

495 

76 

574 

13 

201 

14 

274 

67 

350 

53 

422 

149 

497 

78 

575 

146 

202 

55 

276 

63 

351 

34 

423 

25 

498 

155 

577 

25 

204 

27 

278 

5 

353 

69 

425 

12 

500 

27 

580 

237 

207 

43 

279 

5 

354 

99 

426 

63 

503 

3 

582 

85 

209 

6 

281 

93 

358 

57 

428 

105 

505 

156 

583 

130 

210 

7 

282 

35 

359 

68 

431 

120 

506 

23 

585 

88 

212 

105 

284 

53 

362 

63 

433 

33 

508 

9 

588 

35 

214 

73 

286 

69 

364 

9 

436 

165 

510 

69 

590 

93 

215 

23 

287 

71 

366 

29 

438 

65 

511 

10 

593 

86 

217 

45 

289 

21 

367 

21 

439 

49 

513 

26 

594 

19 

218 

11 

292 

37 

369 

91 

441 

7 

514 

67 

596 

273 

220 

7 

294 

33 

370 

139 

444 

81 

516 

21 

599 

30 

223 

33 

295 

48 

372 

111 

446 

105 

518 

33 

601 

201 

225 

32 

297 

5 

375 

16 

447 

73 

519 

79 

602 

215 

228 

113 

300 

5 

377 

41 

449 

134 

521 

32 

604 

105 

231 

26 

302 

41 

378 

43 

450 

47 

522 

39 

606 

165 

233 

74 

303 

1 

380 

47 

455 

38 

524 

167 

607 

105 

234 

31 

305 

102 

382 

81 

457 

16 

526 

97 

609 

31 
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Table E-2.a: Irreducible trinomials 

m . k 

K + X 

+ 1 over F 2 - 



For each m, 610 < m < 1060, for which an irreducible trinomial of degree m exists, the table 

lists the smallest k for which x " 

, k . 

+ X + . 

is irreducible over F 2 . 





m 

k 

m 

k 

m 

k 

m 

k 

m 

k 

m 

k 

610 

127 

684 

209 

754 

19 

833 

149 

903 

35 

988 

121 

612 

81 

686 

197 

756 

45 

834 

15 

905 

117 

990 

161 

614 

45 

687 

13 

758 

233 

838 

61 

906 

123 

991 

39 

615 

211 

689 

14 

759 

98 

839 

54 

908 

143 

993 

62 

617 

200 

690 

79 

761 

3 

841 

144 

911 

204 

994 

223 

618 

295 

692 

299 

762 

83 

842 

47 

913 

91 

996 

65 

620 

9 

694 

169 

767 

168 

844 

105 

916 

183 

998 

101 

622 

297 

695 

177 

769 

120 

845 

2 

918 

77 

999 

59 

623 

68 

697 

267 

772 

7 

846 

105 

919 

36 

1001 

17 

625 

133 

698 

215 

774 

185 

847 

136 

921 

221 

1007 

75 

626 

251 

700 

75 

775 

93 

849 

253 

924 

31 

1009 

55 

628 

223 

702 

37 

777 

29 

850 

111 

926 

365 

1010 

99 

631 

307 

705 

17 

778 

375 

852 

159 

927 

403 

1012 

115 

633 

101 

708 

15 

780 

13 

855 

29 

930 

31 

1014 

385 

634 

39 

711 

92 

782 

329 

857 

119 

932 

177 

1015 

186 

636 

217 

713 

41 

783 

68 

858 

207 

935 

417 

1020 

135 

639 

16 

714 

23 

785 

92 

860 

35 

937 

217 

1022 

317 

641 

11 

716 

183 

791 

30 

861 

14 

938 

207 

1023 

7 

642 

119 

718 

165 

793 

253 

862 

349 

942 

45 

1025 

294 

646 

249 

719 

150 

794 

143 

865 

1 

943 

24 

1026 

35 

647 

5 

721 

9 

798 

53 

866 

75 

945 

77 

1028 

119 

649 

37 

722 

231 

799 

25 

868 

145 

948 

189 

1029 

98 

650 

3 

724 

207 

801 

217 

870 

301 

951 

260 

1030 

93 

651 

14 

726 

5 

804 

75 

871 

378 

953 

168 

1031 

68 

652 

93 

727 

180 

806 

21 

873 

352 

954 

131 

1033 

108 

654 

33 

729 

58 

807 

7 

876 

149 

956 

305 

1034 

75 

655 

88 

730 

147 

809 

15 

879 

11 

959 

143 

1036 

411 

657 

38 

732 

343 

810 

159 

881 

78 

961 

18 

1039 

21 

658 

55 

735 

44 

812 

29 

882 

99 

964 

103 

1041 

412 

660 

11 

737 

5 

814 

21 

884 

173 

966 

201 

1042 

439 

662 

21 

738 

347 

815 

333 

887 

147 

967 

36 

1044 

41 

663 

107 

740 

135 

817 

52 

889 

127 

969 

31 

1047 

10 

665 

33 

742 

85 

818 

119 

890 

183 

972 

7 

1049 

141 

668 

147 

743 

90 

820 

123 

892 

31 

975 

19 

1050 

159 

670 

153 

745 

258 

822 

17 

894 

173 

977 

15 

1052 

291 

671 

15 

746 

351 

823 

9 

895 

12 

979 

178 

1054 

105 

673 

28 

748 

19 

825 

38 

897 

113 

982 

177 

1055 

24 

676 

31 

750 

309 

826 

255 

898 

207 

983 

230 

1057 

198 

679 

66 

751 

18 

828 

189 

900 

1 

985 

222 

1058 

27 

682 

171 

753 

158 

831 

49 

902 

21 

986 

3 

1060 

439 
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Table E-2.b: Irreducible trinomials x’" + x k +1 over F 2 . 

For each m, 1061 < m < 1516, for which an irreducible trinomial of degree m exists, the table 
lists the smallest k for which x" + x k + 1 is irreducible over F 2 . 

m 

k 


k 

m 

k 

m 

k 


k 


k 

1062 

49 

1140 

141 

1212 

203 

1287 

470 

1366 

1 

1441 

322 

1063 

168 

1142 


1214 

257 

1289 

99 

1367 

134 

1442 

395 

1065 

463 

1145 

277 

1215 

302 

1294 

201 

1369 


1444 

595 

1071 

7 

1146 

131 

1217 

393 

1295 

38 

1372 

181 

1446 

421 

1078 

361 

1148 

23 

1218 

91 

1297 

198 

1374 

609 

1447 

195 

1079 

230 

1151 

90 

1220 

413 

1298 

399 

1375 

52 

1449 

13 

1081 

24 

1153 

241 

1223 

255 

1300 

75 

1377 

100 

1452 

315 

1082 

407 

1154 

75 

1225 

234 

1302 

77 

1380 

183 

1454 

297 

1084 

189 

1156 

307 

1226 

167 

1305 

326 

1383 

130 

1455 

52 

1085 

62 

1158 

245 

1228 

27 

1306 

39 

1385 

12 

1457 

314 

1086 

189 

1159 

66 

1230 

433 

1308 

495 

1386 

219 

1458 

243 

1087 

112 

1161 

365 

1231 

105 

1310 

333 

1388 

11 

1460 

185 

1089 

91 

1164 

19 

1233 

151 

1311 

476 

1390 

129 

1463 

575 

1090 

79 

1166 

189 

1234 

427 

1313 

164 

1391 

3 

1465 

39 

1092 

23 

1167 

133 

1236 

49 

1314 

19 

1393 

300 

1466 

311 

1094 

57 

1169 

114 

1238 

153 

1319 

129 

1396 

97 

1468 

181 

1095 

139 

1170 

27 

1239 

4 

1321 

52 

1398 

601 

1470 

49 

1097 

14 

1174 

133 

1241 

54 

1324 

337 

1399 

55 

1471 

25 

1098 

83 

1175 

476 

1242 

203 

1326 

397 

1401 

92 

1473 

77 

1100 

35 

1177 

16 

1246 

25 

1327 

277 

1402 

127 

1476 

21 

1102 

117 

1178 

375 

1247 

14 

1329 

73 

1404 

81 

1478 

69 

1103 

65 

1180 

25 

1249 

187 

1332 

95 

1407 

47 

1479 

49 

1105 

21 

1182 

77 

1252 

97 

1334 

617 

1409 

194 

1481 

32 

1106 

195 

1183 

87 

1255 

589 

1335 

392 

1410 

383 

1482 

411 

1108 

327 

1185 

134 

1257 

289 

1337 

75 

1412 

125 

1486 

85 

1110 

417 

1186 

171 

1260 

21 

1338 

315 

1414 

429 

1487 

140 

1111 

13 

1188 

75 

1263 

77 

1340 

125 

1415 

282 

1489 

252 

1113 

107 

1190 

233 

1265 

119 

1343 

348 

1417 

342 

1490 

279 

1116 

59 

1191 

196 

1266 

7 

1345 

553 

1420 

33 

1492 

307 

1119 

283 

1193 

173 

1268 

345 

1348 

553 

1422 

49 

1495 

94 

1121 

62 

1196 

281 

1270 

333 

1350 

237 

1423 

15 

1497 

49 

1122 

427 

1198 

405 

1271 

17 

1351 

39 

1425 

28 

1500 

25 

1126 

105 

1199 

114 

1273 

168 

1353 

371 

1426 

103 

1503 

80 

1127 

27 

1201 

171 

1276 

217 

1354 

255 

1428 

27 

1505 

246 

1129 

103 

1202 

287 

1278 

189 

1356 

131 

1430 

33 

1508 

599 

1130 

551 

1204 

43 

1279 

216 

1358 

117 

1431 

17 

1510 

189 

1134 

129 

1206 

513 

1281 

229 

1359 

98 

1433 

387 

1511 

278 

1135 

9 

1207 

273 

1282 

231 

1361 

56 

1434 

363 

1513 

399 

1137 

277 

1209 

118 

1284 

223 

1362 

655 

1436 

83 

1514 

299 

1138 

31 

1210 

243 

1286 

153 

1364 

239 

1438 

357 

1516 

277 
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Table E-2.c: Irreducible trinomials 

m , k 

r + x 

+ 1 over F 2 - 



For each m, 1517 < m 

< 2000, for which an irreducible trinomial of degree m exists, the table 

lists the smallest k for which x"‘ 

, k , 

+ X + 

is irreducible over F 2 . 





m 

k 

m 

k 

m 

k 

m 

k 

m 

k 

m 

k 

1518 

69 

1590 

169 

1673 

90 

1756 

99 

1838 

53 

1927 

25 

1519 

220 

1591 

15 

1674 

755 

1759 

165 

1839 

836 

1929 

31 

1521 

229 

1593 

568 

1376 

363 

1764 

105 

1841 

66 

1932 

277 

1524 

27 

1596 

3 

1678 

129 

1767 

250 

1844 

339 

1934 

413 

1526 

473 

1599 

643 

1679 

20 

1769 

327 

1846 

901 

1935 

103 

1527 

373 

1601 

548 

1681 

135 

1770 

279 

1847 

180 

1937 

231 

1529 

60 

1602 

783 

1687 

31 

1772 

371 

1849 

49 

1938 

747 

1530 

207 

1604 

317 

1689 

758 

1774 

117 

1854 

885 

1940 

113 

1534 

225 

1606 

153 

1692 

359 

1775 

486 

1855 

39 

1943 

11 

1535 

404 

1607 

87 

1694 

501 

1777 

217 

1857 

688 

1945 

91 

1537 

46 

1609 

231 

1695 

29 

1778 

635 

1860 

13 

1946 

51 

1540 

75 

1612 

111 

1697 

201 

1780 

457 

1862 

149 

1948 

603 

1542 

365 

1615 

103 

1698 

459 

1782 

57 

1863 

260 

1950 

9 

1543 

445 

1617 

182 

1700 

225 

1783 

439 

1865 

53 

1951 

121 

1545 

44 

1618 

211 

1703 

161 

1785 

214 

1866 

11 

1953 

17 

1548 

63 

1620 

27 

1705 

52 

1788 

819 

1870 

121 

1956 

279 

1550 

189 

1623 

17 

1708 

93 

1790 

593 

1871 

261 

1958 

89 

1551 

557 

1625 

69 

1710 

201 

1791 

190 

1873 

199 

1959 

371 

1553 

252 

1628 

603 

1711 

178 

1793 

114 

1878 

253 

1961 

771 

1554 

99 

1630 

741 

1713 

250 

1798 

69 

1879 

174 

1962 

99 

1556 

65 

1631 

668 

1716 

221 

1799 

312 

1881 

370 

1964 

21 

1558 

9 

1633 

147 

1719 

113 

1801 

502 

1884 

669 

1966 

801 

1559 

119 

1634 

221 

1721 

300 

1802 

843 

1886 

833 

1967 

26 

1561 

339 

1636 

37 

1722 

39 

1804 

747 

1887 

353 

1969 

175 

1562 

95 

1638 

173 

1724 

261 

1806 

101 

1889 

29 

1974 

165 

1564 

7 

1639 

427 

1726 

753 

1807 

123 

1890 

371 

1975 

841 

1566 

77 

1641 

287 

1729 

94 

1809 

521 

1895 

873 

1977 

238 

1567 

127 

1642 

231 

1734 

461 

1810 

171 

1900 

235 

1980 

33 

1569 

319 

1647 

310 

1735 

418 

1814 

545 

1902 

733 

1983 

113 

1570 

667 

1649 

434 

1737 

403 

1815 

163 

1903 

778 

1985 

311 

1572 

501 

1650 

579 

1738 

267 

1817 

479 

1905 

344 

1986 

891 

1575 

17 

1652 

45 

1740 

259 

1818 

495 

1906 

931 

1988 

555 

1577 

341 

1655 

53 

1742 

869 

1820 

11 

1908 

945 

1990 

133 

1578 

731 

1657 

16 

1743 

173 

1823 

684 

1911 

67 

1991 

546 

1580 

647 

1660 

37 

1745 

369 

1825 

9 

1913 

462 

1993 

103 

1582 

121 

1663 

99 

1746 

255 

1828 

273 

1918 

477 

1994 

15 

1583 

20 

1665 

176 

1748 

567 

1830 

381 

1919 

105 

1996 

307 

1585 

574 

1666 

271 

1750 

457 

1831 

51 

1921 

468 

1999 

367 

1586 

399 

1668 

459 

1751 

482 

1833 

518 

1924 

327 


1588 

85 

1671 

202 

1753 

775 

1836 

243 

1926 

357 
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E.3. 


Irreducible Pentanomials Over F 2 


Table E-3: Irreducible pentanomials x m + X H + X kl + X k ' + 1 over' F 2 . 

For each m, 160 < m < 488, for which an irreducible trinomial of degree m does not exist, a triple of 
exponents k t , k 2 , k 2 is given for which the pentanomial X m + X kl + X kl + X k] + 1, is irreducible over 


F 2 - 


m 

k or 

(k\, k 2 , k 3 ) 

m 

k or 

(k\, k 2 , h) 

m 

k or 

(k\, k 2 , k 3 ) 

m 

k or 

(k\, k 2 , k 3 ) 

160 

1,2, 117 

243 

1,2, 17 

326 

1,2, 67 

410 

1,2, 16 

163 

1,2,8 

245 

1,2, 37 

328 

1,2,51 

411 

1,2, 50 

164 

1,2, 49 

246 

1,2, 11 

331 

1,2, 134 

413 

1,2, 33 

165 

1,2, 25 

248 

1,2, 243 

334 

1,2,5 

416 

1,3,76 

168 

1,2, 65 

251 

1,2, 45 

335 

1,2, 250 

419 

1,2, 129 

171 

1,3,42 

254 

1,2,7 

336 

1,2, 77 

421 

1,2,81 

173 

1,2, 10 

256 

1,2, 155 

338 

1,2, 112 

424 

1,2, 177 

176 

1,2, 43 

259 

1,2, 254 

339 

1,2, 26 

427 

1,2, 245 

179 

1,2,4 

261 

1,2, 74 

341 

1,2, 57 

429 

1,2, 14 

181 

1,2, 89 

262 

1,2, 207 

344 

1,2,7 

430 

1,2, 263 

184 

1,2,81 

264 

1,2, 169 

347 

1,2, 96 

432 

1,2, 103 

187 

1,2, 20 

267 

1,2, 29 

349 

1,2, 186 

434 

1,2, 64 

188 

1,2, 60 

269 

1,2, 117 

352 

1,2, 263 

435 

1,2, 166 

189 

1,2, 49 

272 

1,3,56 

355 

1,2, 138 

437 

1,2,6 

190 

1,2, 47 

275 

1,2, 28 

356 

1,2, 69 

440 

1,2, 37 

192 

1,2,7 

277 

1,2, 33 

357 

1,2, 28 

442 

1,2, 32 

195 

1,2, 37 

280 

1,2, 113 

360 

1,2, 49 

443 

1,2, 57 

197 

1,2,21 

283 

1,2, 200 

361 

1,2, 44 

445 

1,2, 225 

200 

1,2,81 

285 

1,2, 77 

363 

1,2,38 

448 

1,3,83 

203 

1,2, 45 

288 

1,2, 191 

365 

1,2, 109 

451 

1,2, 33 

205 

1,2,21 

290 

1,2, 70 

368 

1,2, 85 

452 

1,2, 10 

206 

1,2, 63 

291 

1,2, 76 

371 

1,2, 156 

453 

1,2, 88 

208 

1,2, 83 

293 

1,3, 154 

373 

1,3, 172 

454 

1,2, 195 

211 

1,2, 165 

296 

1,2, 123 

374 

1,2, 109 

456 

1,2, 275 

213 

1,2, 62 

298 

1,2, 78 

376 

1,2, 77 

459 

1,2, 332 

216 

1,2, 107 

299 

1,2,21 

379 

1,2, 222 

461 

1,2, 247 

219 

1,2, 65 

301 

1,2, 26 

381 

1,2,5 

464 

1,2,310 

221 

1,2, 18 

304 

1,2, 11 

384 

1,2, 299 

466 

1,2, 78 

222 

1,2, 73 

306 

1,2, 106 

387 

1,2, 146 

467 

1,2,210 

224 

1,2, 159 

307 

1,2, 93 

389 

1,2, 159 

469 

1,2, 149 

226 

1,2, 30 

309 

1,2, 26 

392 

1,2, 145 

472 

1,2, 33 

227 

1,2,21 

311 

1,3, 155 

395 

1,2, 333 

475 

1,2, 68 

229 

1,2,21 

312 

1,2, 83 

397 

1,2, 125 

477 

1,2, 121 

230 

1,2, 13 

315 

1,2, 142 

398 

1,3,23 

480 

1,2, 149 

232 

1,2, 23 

317 

1,3,68 

400 

1,2, 245 

482 

1,2, 13 

235 

1,2, 45 

320 

1,2,7 

403 

1,2, 80 

483 

1,2, 352 

237 

1,2, 104 

323 

1,2,21 

405 

1,2,38 

485 

1,2, 70 

240 

1,3,49 

325 

1,2, 53 

408 

1,2, 323 

488 

1,2, 123 
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Table E-3.a: Irreducible pentanomials X m + X h + X kl + X kl +1 over F 2 . 

For each m, 490 <m< 811, for which an irreducible trinomial of degree m does not exist, a triple of 
exponents k u k 2 , k 3 is given for which the pentanomial X 1 " + X ki + X k 1 + X kl + 1, is irreducible over 
F 2 . 


m 

k or 

(ku k 2 , k 3 ) 

m 

k or 

(ku k 2 , h) 

m 

k or 

(k\, k 2 , k 3 ) 

m 

k or 

(k\, k 2 , k 3 ) 

491 

1,2, 270 

571 

1,2, 408 

653 

1,2, 37 

734 

1,2, 67 

493 

1,2, 171 

572 

1,2, 238 

656 

1,2, 39 

736 

1,2, 359 

496 

1,3,52 

573 

1,2, 220 

659 

1,2, 25 

739 

1,2, 60 

499 

1,2, 174 

576 

1,3,52 

661 

1,2, 80 

741 

1,2, 34 

501 

1,2, 332 

578 

1,2, 138 

664 

1,2, 177 

744 

1,2, 347 

502 

1,2, 99 

579 

1,3,526 

666 

1,2, 100 

747 

1,2, 158 

504 

1,3, 148 

581 

1,2, 138 

667 

1,2, 161 

749 

1,2, 357 

507 

1,2, 26 

584 

1,2, 361 

669 

1,2,314 

752 

1,2, 129 

509 

1,2, 94 

586 

1,2, 14 

672 

1,2,91 

755 

1,4, 159 

512 

1,2,51 

587 

1,2, 130 

674 

1,2, 22 

757 

1,2, 359 

515 

1,2, 73 

589 

1,2, 365 

675 

1,2,214 

760 

1,2, 17 

517 

1,2, 333 

591 

1,2,38 

677 

1,2, 325 

763 

1,2, 17 

520 

1,2, 291 

592 

1,2, 143 

678 

1,2, 95 

764 

1,2, 12 

523 

1,2, 66 

595 

1,2,9 

680 

1,2,91 

765 

1,2, 137 

525 

1,2, 92 

597 

1,2, 64 

681 

1,2, 83 

766 

1,3,280 

528 

1,2, 35 

598 

1,2, 131 

683 

1,2, 153 

768 

1,2, 115 

530 

1,2, 25 

600 

1,2, 239 

685 

1,3,4 

770 

1,2, 453 

531 

1,2, 53 

603 

1,2, 446 

688 

1,2,71 

771 

1,2, 86 

533 

1,2, 37 

605 

1,2,312 

691 

1,2, 242 

773 

1,2, 73 

535 

1,2, 143 

608 

1,2,213 

693 

1,2, 250 

776 

1,2,51 

536 

1,2, 165 

611 

1,2, 13 

696 

1,2, 241 

779 

1,2, 456 

539 

1,2, 37 

613 

1,2, 377 

699 

1,2, 40 

781 

1,2, 209 

541 

1,2, 36 

616 

1,2, 465 

701 

1,2, 466 

784 

1,2, 59 

542 

1,3,212 

619 

1,2, 494 

703 

1,2, 123 

786 

1,2, 118 

544 

1,2, 87 

621 

1,2, 17 

704 

1,2, 277 

787 

1,2, 189 

546 

1,2,8 

624 

1,2,71 

706 

1,2, 27 

788 

1,2, 375 

547 

1,2, 165 

627 

1,2, 37 

707 

1,2, 141 

789 

1,2,5 

548 

1,2,385 

629 

1,2, 121 

709 

1,2,9 

790 

1,2, 111 

549 

1,3,274 

630 

1,2, 49 

710 

1,3,29 

792 

1,2, 403 

552 

1,2,41 

632 

1,2,9 

712 

1,2, 623 

795 

1,2, 137 

554 

1,2, 162 

635 

1,2, 64 

715 

1,3,458 

796 

1,2, 36 

555 

1,2, 326 

637 

1,2, 84 

717 

1,2, 320 

797 

1,2, 193 

557 

1,2, 288 

638 

1,2, 127 

720 

1,2, 625 

800 

1,2, 463 

560 

1,2, 157 

640 

1,3,253 

723 

1,2, 268 

802 

1,2, 102 

562 

1,2, 56 

643 

1,2, 153 

725 

1,2, 331 

803 

1,2, 208 

563 

1,4, 159 

644 

1,2, 24 

728 

1,2,51 

805 

1,2, 453 

565 

1,2, 66 

645 

1,2, 473 

731 

1,2, 69 

808 

1,3, 175 

568 

1,2, 291 

648 

1,2, 235 

733 

1,2, 92 

811 

1,2, 18 
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Table E-3.b: Irreducible pentanomials X m + X k2 + X k " + X k ' + 1 ovei' F 2 . 

For each m, 812 <m< 1131, for which an irreducible trinomial of degree m does not exist, a triple of 
exponents k u k 2 , k 2 is given for which the pentanomial X m + X k 2 + X kl + X k] + 1, is irreducible over 
F 2 . 


m 

k or 

(ku k 2 , k 3 ) 

m 

k or 

(ku k 2 , h) 

m 

k or 

(h, k 2 , k 3 ) 

m 

k or 

(ku k 2 , h) 

813 

1,2, 802 

901 

1,2,581 

973 

1,2, 113 

1053 

1,2, 290 

816 

1,3,51 

904 

1,3,60 

974 

1,2,211 

1056 

1,2, 11 

819 

1,2, 149 

907 

1,3,26 

976 

1,2, 285 

1059 

1,3,6 

821 

1,2, 111 

909 

1,3, 168 

978 

1,2, 376 

1061 

1,2, 166 

824 

1,2, 495 

910 

1,2, 357 

980 

1,2,316 

1064 

1,2, 946 

827 

1,2, 189 

912 

1,2, 569 

981 

1,2,383 

1066 

1,2, 258 

829 

1,2, 560 

914 

1,2,4 

984 

1,2, 349 

1067 

1,2, 69 

830 

1,2, 241 

915 

1,2, 89 

987 

1,3, 142 

1068 

1,2, 223 

832 

1,2, 39 

917 

1,2, 22 

989 

1,2, 105 

1069 

1,2, 146 

835 

1,2, 350 

920 

1,3,517 

992 

1,2,585 

1070 

1,3,94 

836 

1,2, 606 

922 

1,2, 24 

995 

1,3,242 

1072 

1,2, 443 

837 

1,2, 365 

923 

1,2, 142 

997 

1,2, 453 

1073 

1,3,235 

840 

1,2, 341 

925 

1,2, 308 

1000 

1,3,68 

1074 

1,2, 395 

843 

1,2, 322 

928 

1,2, 33 

1002 

1,2, 266 

1075 

1,2, 92 

848 

1,2, 225 

929 

1,2, 36 

1003 

1,2,410 

1076 

1,2, 22 

851 

1,2, 442 

931 

1,2, 72 

1004 

1,2, 96 

1077 

1,2, 521 

853 

1,2, 461 

933 

1,2, 527 

1005 

1,2,41 

1080 

1,2, 151 

854 

1,2, 79 

934 

1, 3, 800 

1006 

1,2, 63 

1083 

1,2, 538 

856 

1,2, 842 

936 

1,3,27 

1008 

1,2, 703 

1088 

1,2, 531 

859 

1,2, 594 

939 

1,2, 142 

1011 

1,2, 17 

1091 

1,2, 82 

863 

1,2, 90 

940 

1,2, 204 

1013 

1,2, 180 

1093 

1,2, 173 

864 

1,2, 607 

941 

1,2, 573 

1016 

1,2, 49 

1096 

1,2, 351 

867 

1,2,380 

944 

1,2, 487 

1017 

1,2, 746 

1099 

1,2, 464 

869 

1,2, 82 

946 

1,3,83 

1018 

1,2, 27 

1101 

1,2, 14 

872 

1,2, 691 

947 

1,2, 400 

1019 

1,2, 96 

1104 

1,2, 259 

874 

1,2, 110 

949 

1,2,417 

1021 

1,2,5 

1107 

1,2, 176 

875 

1,2, 66 

950 

1,2, 859 

1024 

1,2,515 

1109 

1,2, 501 

877 

1,2, 140 

952 

1,3,311 

1027 

1,2, 378 

1112 

1,2, 1045 

878 

1,2, 343 

955 

1,2, 606 

1032 

1,2, 901 

1114 

1,2, 345 

880 

1,3,221 

957 

1,2, 158 

1035 

1,2, 76 

1115 

1,2, 268 

883 

1,2, 488 

958 

1,2, 191 

1037 

1,2, 981 

1117 

1,2, 149 

885 

1,2, 707 

960 

1,2, 491 

1038 

1,2,41 

1118 

1,2, 475 

886 

1,2, 227 

962 

1,2, 18 

1040 

1,2, 429 

1120 

1,3,386 

888 

1,2, 97 

963 

1,2, 145 

1043 

1,3,869 

1123 

1,2, 641 

891 

1,2, 364 

965 

1,2,213 

1045 

1,2, 378 

1124 

1,2, 156 

893 

1,2, 13 

968 

1,2,21 

1046 

1,2, 39 

1125 

1,2, 206 

896 

1,2, 19 

970 

1,2, 260 

1048 

1,3, 172 

1128 

1,3,7 

899 

1,3,898 

971 

1,2,6 

1051 

1,3,354 

1131 

1,2, 188 
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Table E-3.c: Irreducible pentanomials X m + X k ' + X k2 + X kl + 1 over F 2 . 

For each m, 1131 <m< 1456, for which an irreducible trinomial of degree m does not exist, a triple of 
exponents k u k 2 , k 2 is given for which the pentanomial X m + X k 3 + X kl + X k ' + 1, is irreducible over 
F 2 . 


m 

k or 

(ku k 2 , h) 

m 

k or 

(ku k 2 , k 3 ) 

m 

k or 

(h, k 2 , k 3 ) 

M 

k or 

(ku k 2 , k 3 ) 

1132 

1,2, 20 

1219 

1,2, 225 

1296 

1,2, 379 

1376 

1,2, 1201 

1133 

1,2, 667 

1221 

1,2, 101 

1299 

1,2, 172 

1378 

1,2, 362 

1136 

1,2, 177 

1222 

1,2,215 

1301 

1,2, 297 

1379 

1,2, 400 

1139 

1,2, 45 

1224 

1,2, 157 

1303 

1,2, 306 

1381 

1,2, 56 

1141 

1 2 134 

1227 

1,2, 361 

1304 

1,3,574 

1382 

1,3,58 

1143 

1,2,7 

1229 

1,2, 627 

1307 

1,2, 157 

1384 

1,2, 1131 

1144 

1,2, 431 

1232 

1,2, 225 

1309 

1,2, 789 

1387 

1,2, 33 

1147 

1,2, 390 

1235 

1,2, 642 

1312 

1,2, 1265 

1389 

1,2,41 

1149 

1,2, 221 

1237 

1,2, 150 

1315 

1,2, 270 

1392 

1,2, 485 

1150 

1,2, 63 

1240 

1,2, 567 

1316 

1,2, 12 

1394 

1,2, 30 

1152 

1,2, 971 

1243 

1,2, 758 

1317 

1,2, 254 

1395 

1,2, 233 

1155 

1,2, 94 

1244 

1,2, 126 

1318 

1,3,94 

1397 

1,2, 397 

1157 

1,2, 105 

1245 

1,2,212 

1320 

1,2, 835 

1400 

1,2, 493 

1160 

1,2, 889 

1248 

1,2, 1201 

1322 

1,2, 538 

1403 

1,2,717 

1162 

1,2, 288 

1250 

1,2, 37 

1323 

1,2, 1198 

1405 

1,2, 558 

1163 

1,2, 33 

1251 

1,2, 1004 

1325 

1,2, 526 

1406 

1,2, 13 

1165 

1,2, 494 

1253 

1,2, 141 

1328 

1,2, 507 

1408 

1,3,45 

1168 

1,2, 473 

1254 

1,2, 697 

1330 

1,2, 609 

1411 

1,2, 200 

1171 

1,2, 396 

1256 

1,2, 171 

1331 

1,2, 289 

1413 

1,2, 101 

1172 

1,2, 426 

1258 

1,2, 503 

1333 

1,2, 276 

1416 

1,3,231 

1173 

1,2, 673 

1259 

1,2, 192 

1336 

1,2, 815 

1418 

1,2, 283 

1176 

1,2, 19 

1261 

1,2, 14 

1339 

1,2, 284 

1419 

1,2, 592 

1179 

1,2, 640 

1262 

1,2, 793 

1341 

1,2, 53 

1421 

1,2, 30 

1181 

1,2, 82 

1264 

1,2, 285 

1342 

1,2, 477 

1424 

1,2, 507 

1184 

1,2, 1177 

1267 

1,2, 197 

1344 

1,2, 469 

1427 

1,2, 900 

1187 

1,2, 438 

1269 

1,2, 484 

1346 

1,2, 57 

1429 

1,2, 149 

1189 

1,2, 102 

1272 

1,2, 223 

1347 

1,2,61 

1432 

1,2, 251 

1192 

1,3,831 

1274 

1,2, 486 

1349 

1,2, 40 

1435 

1,2, 126 

1194 

1,2,317 

1275 

1,2, 25 

1352 

1,2,583 

1437 

1,2, 545 

1195 

1,2, 293 

1277 

1,2, 451 

1355 

1,2, 117 

1439 

1,2, 535 

1197 

1,2, 269 

1280 

1,2, 843 

1357 

1,2, 495 

1440 

1,3, 1023 

1200 

1,3,739 

1283 

1,2, 70 

1360 

1,2, 393 

1443 

1,2,413 

1203 

1,2, 226 

1285 

1,2, 564 

1363 

1,2, 852 

1445 

1,2,214 

1205 

1,2,4 

1288 

1,2,215 

1365 

1,2, 329 

1448 

1,3,212 

1208 

1,2,915 

1290 

1,2, 422 

1368 

1,2,41 

1450 

1,2, 155 

1211 

1,2, 373 

1291 

1,2, 245 

1370 

1,2, 108 

1451 

1,2, 193 

1213 

1,2, 245 

1292 

1,2, 78 

1371 

1,2, 145 

1453 

1,2, 348 

1216 

1,2, 155 

1293 

1,2, 26 

1373 

1,2,613 

1456 

1,2, 1011 
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Table E-3.d: Irreducible pentanomials X m + X kl + X k " + X k ' + 1 over F 2 . 

For each m, 1458 < m < 1761, for which an irreducible trinomial of degree m does not exist, a triple of 
exponents k u k 2 , k 2 is given for which the pentanomial X m + X k 3 + X kl + X k ' + 1, is irreducible over 
F 2 . 


m 

k or 

(ku k 2 , h ) 

m 

k or 

(ku k 2 , k 3 ) 

m 

k or 

(h, k 2 , k 3 ) 

M 

k or 

(ku k 2 , k 3 ) 

1459 

1,2, 1032 

1536 

1,2, 881 

1619 

1,2, 289 

1690 

1,2, 200 

1461 

1,2, 446 

1538 

1,2,6 

1621 

1,2, 1577 

1691 

1,2, 556 

1462 

1,2, 165 

1539 

1,2, 80 

1622 

1,2, 1341 

1693 

1,2, 137 

1464 

1,2, 275 

1541 

1,2,4 

1624 

1, 2, 1095 

1696 

1,2, 737 

1467 

1,2, 113 

1544 

1,2, 99 

1626 

1,2, 191 

1699 

1,2, 405 

1469 

1,2, 775 

1546 

1,2, 810 

1627 

1,2, 189 

1701 

1,2, 568 

1472 

1,2,613 

1547 

1,2, 493 

1629 

1,2, 397 

1702 

1,2, 245 

1474 

1,2, 59 

1549 

1,2, 426 

1632 

1,2,211 

1704 

1,3,55 

1475 

1,2, 208 

1552 

1,2, 83 

1635 

1,2, 113 

1706 

1,2, 574 

1477 

1,2, 1325 

1555 

1,2, 254 

1637 

1,2, 234 

1707 

1,2, 221 

1480 

1,2, 285 

1557 

1,2, 20 

1640 

1,2,715 

1709 

1,2, 201 

1483 

1,2, 1077 

1560 

1,2, 11 

1643 

1,2, 760 

1712 

1,2, 445 

1484 

1,2,61 

1563 

1,2,41 

1644 

1,2, 236 

1714 

1,2, 191 

1485 

1,2, 655 

1565 

1,2, 18 

1645 

1,2, 938 

1715 

1,2,612 

1488 

1,2, 463 

1568 

1,2, 133 

1646 

1,2, 435 

1717 

1,2, 881 

1491 

1,2, 544 

1571 

1,2,21 

1648 

1,2, 77 

1718 

1,2, 535 

1493 

1,2, 378 

1573 

1,2, 461 

1651 

1,2, 873 

1720 

1,2, 525 

1494 

1,2, 731 

1574 

1,2, 331 

1653 

1,2, 82 

1723 

1,2, 137 

1496 

1,2, 181 

1576 

1,2, 147 

1654 

1,3,201 

1725 

1,2, 623 

1498 

1,2,416 

1579 

1,2, 374 

1656 

1,2, 361 

1727 

1,2, 22 

1499 

1,2, 477 

1581 

1,2, 160 

1658 

1,2, 552 

1728 

1,2, 545 

1501 

1,2, 60 

1584 

1,2, 895 

1659 

1,2, 374 

1730 

1,2,316 

1502 

1,2, 111 

1587 

1,2, 433 

1661 

1,2, 84 

1731 

1,2, 925 

1504 

1,2, 207 

1589 

1,2, 882 

1662 

1,3,958 

1732 

1,2, 75 

1506 

1,2, 533 

1592 

1,2, 223 

1664 

1,2, 399 

1733 

1,2, 285 

1507 

1,2, 900 

1594 

1,2, 971 

1667 

1,2, 1020 

1736 

1,2, 435 

1509 

1,2, 209 

1595 

1,2, 18 

1669 

1,2, 425 

1739 

1,2, 409 

1512 

1,2, 1121 

1597 

1,2, 42 

1670 

1,2, 19 

1741 

1,3,226 

1515 

1,2,712 

1598 

1,2,385 

1672 

1,2, 405 

1744 

1,2, 35 

1517 

1,2, 568 

1600 

1,2, 57 

1675 

1,2, 77 

1747 

1,2, 93 

1520 

1,2,81 

1603 

1,2,917 

1677 

1,2, 844 

1749 

1,2, 236 

1522 

1,2, 47 

1605 

1,2, 46 

1680 

1,2, 1549 

1752 

1,2, 559 

1523 

1,2, 240 

1608 

1,2, 271 

1682 

1,2, 354 

1754 

1,2, 75 

1525 

1,2, 102 

1610 

1,2, 250 

1683 

1,2, 1348 

1755 

1,2,316 

1528 

1,2, 923 

1611 

1,2,58 

1684 

1,2, 474 

1757 

1,2,21 

1531 

1,2, 1125 

1613 

1,2, 48 

1685 

1,2, 493 

1758 

1,2, 221 

1532 

1,2, 466 

1614 

1,2, 1489 

1686 

1,2, 887 

1760 

1,3, 1612 

1533 

1,2, 763 

1616 

1,2, 139 

1688 

1,2, 921 

1761 

1,2, 131 
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Table E-3.e: Irreducible pentanomials X m + X k ' + X k2 + X kl + 1 over F 2 . 

For each m, 1761 < m < 2000, for which an irreducible trinomial of degree m does not exist, a triple of 
exponents k u k 2 , k 3 is given for which the pentanomial X m + X k 3 + X kl + X k ' + 1, is irreducible over 
F 2 . 


m 

k or 

(ku k 2 , h) 

m 

k or 

(ku k 2 , k 3 ) 

m 

k or 

(h, k 2 , k 3 ) 

m 

k or 

(ku k 2 , k 3 ) 

1762 

1,2,318 

1826 

1,2, 298 

1883 

1,2, 1062 

1941 

1,2, 1133 

1763 

1,2, 345 

1827 

1,2, 154 

1885 

1,2, 813 

1942 

1,2, 147 

1765 

1,2, 165 

1829 

1,2, 162 

1888 

1,2, 923 

1944 

1,2,617 

1766 

1,2, 1029 

1832 

1,3, 1078 

1891 

1,2, 1766 

1947 

1,2, 1162 

1768 

1,2, 1403 

1834 

1,2,210 

1892 

1,3,497 

1949 

1,2, 621 

1771 

1,2, 297 

1835 

1,2, 288 

1893 

1,2, 461 

1952 

1,3,65 

1773 

1,2, 50 

1837 

1,2, 200 

1894 

1,3,215 

1954 

1,2, 1226 

1776 

1,2, 17 

1840 

1,2 195 

1896 

1,2, 451 

1955 

1,2, 109 

1779 

1,3, 1068 

1842 

1,2, 799 

1897 

1,2, 324 

1957 

1,2, 17 

1781 

1,2, 18 

1843 

1,2, 872 

1898 

1,2,613 

1960 

1,2, 939 

1784 

1,2, 1489 

1845 

1,2, 526 

1899 

1,2, 485 

1963 

1,2, 1137 

1786 

1,2,614 

1848 

1,2, 871 

1901 

1,2, 330 

1965 

1,2, 364 

1787 

1,2, 457 

1850 

1,2, 79 

1904 

1,2, 337 

1968 

1,3,922 

1789 

1,2, 80 

1851 

1,2, 250 

1907 

1,2, 45 

1970 

1,2,388 

1792 

1,2, 341 

1852 

1,2, 339 

1909 

1,2, 225 

1971 

1,2, 100 

1794 

1,2, 95 

1853 

1,2, 705 

1910 

1,3,365 

1972 

1,2, 474 

1795 

1,2, 89 

1856 

1,2,585 

1912 

1,2, 599 

1973 

1,2, 438 

1796 

1,2, 829 

1858 

1,2, 1368 

1914 

1,2, 544 

1976 

1,3, 1160 

1797 

1,2, 80 

1859 

1,2, 120 

1915 

1,2, 473 

1978 

1,2, 158 

1800 

1,2, 1013 

1861 

1,2, 509 

1916 

1,2, 502 

1979 

1,2, 369 

1803 

1,2, 248 

1864 

1,2, 1379 

1917 

1,2, 485 

1981 

1,2, 96 

1805 

1,2, 82 

1867 

1,2, 117 

1920 

1,2, 67 

1982 

1,2, 1027 

1808 

1,2, 25 

1868 

1,2, 250 

1922 

1,2, 36 

1984 

1,2, 129 

1811 

1,2, 117 

1869 

1,2,617 

1923 

1,4, 40 

1987 

1,2, 80 

1812 

1,2, 758 

1872 

1,3,60 

1925 

1,2, 576 

1989 

1,2,719 

1813 

1,3,884 

1874 

1,2, 70 

1928 

1,2, 763 

1992 

1,2, 1241 

1816 

1,2, 887 

1875 

1,2,412 

1930 

1,2, 155 

1995 

1,2, 37 

1819 

1,2, 116 

1876 

1,2, 122 

1931 

1,2, 648 

1997 

1,2, 835 

1821 

1,2, 326 

1877 

1,2, 796 

1933 

1,2, 971 

1998 

1, 3, 1290 

1822 

1,3,31 

1880 

1,2, 1647 

1936 

1,2, 117 

2000 

1,2, 981 

1824 

1,2, 821 

1882 

1,2, 128 

1939 

1,2,5 
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E.4. 


Table of Fields F 2 m which Have Both an ONB and a TPB over F 2 


Table E-4: Values of m, 160 < m < 2000, for which the field F 2 «< has both an ONB and a 

TPB over F 2 . 


162 

292 

431 

606 

743 

858 

1034 

1170 

1306 

1492 

1703 

1926 

172 

303 

438 

612 

746 

866 

1041 

1178 

1310 

1505 

1734 

1938 

174 

316 

441 

614 

756 

870 

1049 

1185 

1329 

1511 

1740 

1948 

178 

329 

460 

615 

761 

873 

1055 

1186 

1338 

1518 

1745 

1953 


330 

470 

618 

772 

876 

1060 

1199 

1353 

1530 

1746 

1958 

183 

346 

473 

639 

774 

879 

1065 

1212 

1359 

1548 

1769 

1959 

186 

348 

490 

641 

783 

882 

1090 

1218 

1372 

1559 

1778 

1961 

191 

350 

495 

650 

785 

906 

1103 

1223 

1380 

1570 

1785 

1983 

194 

354 

508 

651 

791 

911 

1106 

1228 

1398 

1583 

1790 

1986 

196 

359 

519 

652 

809 

930 

1108 

1233 

1401 

1593 

1791 

1994 

EH 

372 

522 

658 

810 

935 

1110 

1236 

1409 

1601 

1806 

1996 


375 

540 

660 

818 

938 

1116 

1238 

1425 

1618 

1818 


231 

378 

543 

676 

820 

953 

1119 

1265 

1426 

1620 

1838 


233 

386 

545 

686 

826 

975 

1121 

1271 

1430 

1636 

1854 


239 

388 

556 

690 

828 

986 

1122 

1276 

1452 

1649 

1860 


268 

393 

558 

700 

831 

993 

1134 

1278 

1454 

1666 

1863 



414 

561 

708 

833 

998 

1146 

1282 

1463 

1668 

1866 


273 

418 

575 

713 

834 

1014 

1154 

1289 

1478 

1673 

1889 


278 

420 

585 

719 

846 

1026 

1166 

1295 

1481 

1679 

1900 


281 

426 

593 

726 

852 

1031 

1169 

1300 

1482 

1692 

1906 
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Appendix F Normative Number-Theoretic Algorithms 

[Normative] 

F.l. Avoiding Cryptographically Weak Curves 

Two conditions, the MOV condition and the Anomalous condition , are described to ensure that a particular 
elliptic curve is not vulnerable to two known attacks on special instances of the elliptic curve discrete 
logarithm problem. 

F.1.1. The MOV Condition 

The reduction attack of Menezes, Okamoto and Vanstone [29] reduces the discrete logarithm problem in an 
elliptic curve over F q to the discrete logarithm in the finite field F q B for some B > 1 . The attack is only 
practical if B is small; this is not the case for most elliptic curves. The MOV condition ensures that an 
elliptic curve is not vulnerable to this reduction attack. 

Before performing the algorithm, it is necessary to select an MOV threshold. This is a positive integer B 
such that taking discrete logarithms over F q B is at least as difficult as taking elliptic discrete logarithms over 
F q . For this Standard, a value B > 20 is required. Selecting B > 20 also limits the selection of curves to non- 
supersingular curves (see Section D.l). This algorithm is used in elliptic curve parameter validation (see 
Section 5.1) and elliptic curve parameter generation (see Section F.3.2). 

Input; An MOV threshold B, a prime-power q , and a prime n. (n is a prime divisor of #E(F q ), where 
E is an elliptic curve defined over F q .) 

Output: The message "True" if the MOV condition is satisfied for an elliptic curve over F q with a base 

point of order n; the message "False" otherwise. 

1. Set t = 1. 

2. For i from 1 to B do 

2.1. Set t = t • q mod n. 

2.2. If t = 1, then output "False" and stop. 

3. Output "True". 

F.l .2. The Anomalous Condition 

Smart [39] and Satoh and Araki [38] showed that the elliptic curve discrete logarithm problem in 
anomalous curves can be efficiently solved. An elliptic curve E defined over F q is said to be F q -anomalous 
if #E(F q ) = q. The Anomalous condition checks that #E(F q ) ± q\ this ensures that an elliptic curve is not 
vulnerable to the Anomalous attack. 

Input: An elliptic curve E defined over F q , and the order u = #E(F q ). 

Output: The message "True" if the Anomalous condition is satisfied for E over F q , the message "False" 

otherwise. 

1. If u = q then output “False”; otherwise output “True”. 

F.2. Primality 

F.2.1. A Probabilistic Primality Test 

If n is a large positive integer, the following probabilistic algorithm (the Miller-Rabin test ) [21, p.379] will 
determine whether n is prime or composite, with an arbitrarily small probability of error. This algorithm is 
used in elliptic curve parameter validation (see Section 5.1), in elliptic curve parameter generation (see 
Section F.3.2), and in checking for near primality (see Section F.2.2). 

Input: A large odd integer n, and a positive integer T. 

Output: The message "probable prime" or "composite". 

1 . Compute v and an odd value for w such that n - 1 = 2 l w. 

2. For j from 1 to 7’ do 

2.1. Choose random a in the interval [2, n - 1], 

2.2. Set b = a w mod n. 

2.3. If b = 1 or n - 1, go to Step 2.6. 
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2.4. For i from 1 to v - 1 do 

2.4.1 Set b = b 2 mod n. 

2.4.2 If b = n - 1, go to Step 2.6. 

2.4.3 If b = 1, output "composite" and stop. 

2.4.4 Next i. 

2.5. Output "composite" and stop. 

2.6. Next j. 

3. Output "probable prime". 

If the algorithm outputs "composite", then n is a composite integer. The probability that the algorithm 
outputs "probable prime" when n is a composite integer is less than 2' 2T . Thus, the probability of an error 
can be made negligible by taking a large enough value for T. For this Standard, a value of T > 50 shall be 
used. If a deterministic test is needed, see Section F.2.3. 

F.2.2. Checking for Near Primality 

Given a trial division bound l max , a positive integer h is said to be l nlax -smooth if every prime divisor of h is 
at most l max . Given a positive integer r min , the positive integer u is said to be nearly prime if u = hn for some 
probable prime value of n such that n > r,„,„ and some /,„„ t -smooth integer h. The following algorithm checks 
for near primality. The algorithm is used in elliptic curve parameter generation (see Section F.3.2). 

Input: Positive integers n, l max , and r min . 

Output: If u is nearly prime, a probable prime n > r min and a /„,„ A -smooth integer h such that u = hn. If u 

is not nearly prime, the message "not nearly prime". 

1. Set n = u, h= 1. 

2. For / from 2 to l max do 

2.1. If / is composite, then go to Step 2.3. 

2.2. While (/ divides n ) 

2.2.1 Set n = n / I and h = h • I. 

2.2.2 If n < r min , then output "not nearly prime" and stop. 

2.3. Next /. 

3. If n is probably prime (see Section F.2.1), then output h and n and stop. 

4. Output "not nearly prime". 

F.2.3. A Deterministic Primality Test 

An application of elliptic curves is the devising of algorithms for proving the primality of an integer p 
which is deemed "prime" by the probabilistic test of Section F.2.1. If a deterministic primality test is 
desired, the test referenced in this section shall be used. The Goldwasser-Kilian-Atkin (GKA) algorithm 
produces a primality certificate: a collection 
C = {C b ...,C s } 

in which each component C, consists of positive integers: 

C, = (p,,r,, a h bj, x h y,), 
where: 

t For all i, (x n yf) is a point of order r, on the elliptic curve: 

y 2 = x 3 + a t x + bi (mod />,), 
t yfn > \fpi + 1 for all i, 

t pi = n, 

t p i+ j = r, for 1 < i < s, 

f G< /,L' 

t r s is proved prime by trial division. 
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If a primality certificate exists for n, then n is prime by the following theorem. 

THEOREM (Goldwasser-Kilian): 

Let p and r be positive integers greater than 3 with yfr > ij~p + 1 . Let a, b, x, and y be integers (mod p) 
such that ( x , y) is a point of order r on the elliptic curve: 
y 2 = x 3 + ax + b (mod p). 

Then p is prime if r is prime. 

The GKA algorithm is specified in IEEE PI 363 [12], 

F.3. Elliptic Curve Algorithms 
F.3.1. Finding a Point of Large Prime Order 

If the order #E(F q ) = u of an elliptic curve E is nearly prime, the following algorithm efficiently produces a 
random point on E whose order is the large prime factor n of u = hn. The algorithm is used in elliptic curve 
parameter generation (see Section F.3.2). 

Input: A prime n, a positive integer h not divisible by n, and an elliptic curve E over the field F q with 

#E(F q ) = u. 

Output: If u = hn, a point P on E of order n. If not, the message "wrong order". 

1 . Generate a random point G (not 0) on E. (See Section G.3. 1 .) 

2. Set P = hG. 

3. If P = 6, then go to Step 1 . 

4. Set Q = nP. 

5. If QE (?, then output "wrong order" and stop. 

6. Output P. 

F.3.2. Selecting an Appropriate Curve and Point 

Given a field size q , a lower bound r min for the point order, and a trial division bound l max , the following 
procedure shall be used for choosing a curve and arbitrary point. The algorithm is used to generate elliptic 
curve parameters (see Sections 5. 1.1. a and 5. 1.2. a). 

Input: A field size q , lower bound r min , and trial division bound l max . (See the notes below for 

guidance on selecting r min and l max .) 

Output: Field elements a, b e F q which define an elliptic curve over F q , a point P of prime order n > 

r mm on the curve, and the cofactor h = #E(F q )/n. 

1 . If it is desired that an elliptic curve be generated verifiably at random, then select parameters 
(SEED, a, b) using the technique specified in Section F.3.3.a in the case that q = 2'", or the 
technique specified in Section F.3.3.b in the case that q = p is an odd prime. Compute the order u 
of the curve defined by a and b (see Note 5 below). 

Otherwise, use any alternative technique to select a, b e F q which define an elliptic curve of 
known order u. (See Note 6 for one such technique.) 

2. t In the case that q is a prime, verify that (4a 3 + 27b") 0 (mod p). 

The curve equation for E is: 
y = x + ax + b. 

t In the case that q = 2'", verify that b 4=0. The curve equation for E is: 

y +xy = x + ax + b. 

3. Test u for near primality using the technique defined in Section F.2.2. If the result is "not nearly 
prime", then go to Step 1. Otherwise, u = hn where h is / mnl -smooth and n > r min is probably prime. 

4. Check the MOV condition (see Section F. 1.1) with inputs B >20, q , and n. If the result is “False”, 
then go to Step 1 . 

Check the Anomalous condition (see Section F.1.2). If the result is “False”, then go to Step 1. 

5. Find a point P on E of order n. (See Section F.3.1 .) 

6. Output the curve E , the point P, the order n, and the cofactor h. 
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r mm shall be selected so that r mln > 2 160 . The security level can be increased by selecting a 
larger r min (e.g. r min > 2 200 ). 

If q is prime, then the order u of an elliptic curve E over F q satisfies < 7 + 1-2 -J~q < u < 
< 7 + 1+2 -Jq . Hence for a given < 7 , r min should be < < 7+1 -2 yj~q . 

If <7 = 2 m , then the order u of an elliptic curve E over F q satisfies q + 1-2 yjq < u< <7 + 1 

+ 2 -J~q , and u is even. Hence for a given < 7 , r,„„, should be < (<7 + 1 - 2 ■ s Jq )/2. 

Imax is typically a small integer (e.g. l max = 255). 

The order #E(F q ) can be computed by using Schoof’ s algorithm [37]. Although the basic 
algorithm is quite inefficient, several dramatic improvements and extensions of this 
method have been discovered in recent years. Currently, it is feasible to compute orders 
of elliptic curves over F p where p is as large as 10 499 , and orders of elliptic curves over 
F 2 m where m is as large as 1300. Cryptographically suitable elliptic curves over fields as 
large as F 2 1 96 can be randomly generated in about 5 hours on a workstation (see [24] and 
[25]). 

One technique for selecting an elliptic curve of known order is to use the Weil Theorem 
which states the following. Let ft be an elliptic curve defined over F q , and let t = q + 1- 
#E(F q ). Let a and p be the complex numbers that satisfy T 2 - tT + q = (T - a)(T - p). Then 
#E(F q k) = q k + \-a k - P ' 1 for all k > 1 . 

The Weil Theorem can be used to select a curve over F 2 m when m is divisible by a small 
number / as follows. First select a random elliptic curve ft: y 2 + xy = x 3 + ax 2 + b, b + 0, 
where < 7 , b e F 2 . Note that since / divides m, F 2 ' is contained in TV". Compute #E(F 2 'y, 
this can easily be done exhaustively since l is small. Then compute #E(F 2 m ) using the 
Weil Theorem with <7 = 2 1 and k = m/I. 

Section H.4 and Section H.5 presents sample elliptic curves over a 192-bit prime field, a 239-bit prime 
field, a 256-bit prime field, and the fields F 2 i63, F 2 176, F 2 i9i, F 2 2 os, F 2 239 , f+ 272 , F 2 304, F 2 359 , F 2 368 and F 2 43i 
which may be used to ensure the correct implementation of this Standard. 

F.3.3. Selecting an Elliptic Curve Verifiably at Random 

In order to verify that a given elliptic curve was indeed generated at random, the defining parameters of the 
elliptic curve are defined to be outputs of the hash function SHA-1 (as specified in ANSI X9. 30-1993). The 
input (SEED) to SHA-1 then serves as proof (under the assumption that SHA-1 cannot be inverted) that the 
parameters were indeed generated at random. (See Section F.3.4.) The algorithms in this section are used in 
Section F.3.2. 

F.3.3.a. Elliptic curves over F 2 m 

Input: A field size <7 = 2'". 

Output: A bit string SEED and field elements a, b e F 2 m which define an elliptic curve over F 2 m. 

Let t = m, s = |_(f - 1) / 160 J, and h = t - 160 • s. 

1 . Choose an arbitrary bit string SEED of bit length at least 160 bits. Let g be the length of SEED in 
bits. 

2. Compute ff = SHA-1 (SEED), and let b 0 denote the bit string of length h bits obtained by taking the 
h rightmost bits of ff. 

3. For i from 1 to s do: 

Compute b, = SHA-1((SEED + 1 ) mod 2 s ). 

4. Let b be the field element obtained by the concatenation of bo,b\,...,b s as follows: 

b = b 0 \\b 1 1 |... ||*,. 

5. If b = 0, then go to step 1 . 


Notes: 1. 

2 . 

3. 


4. 

5. 
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6. Let a be an arbitrary element in F 2 m. 

7. The elliptic curve chosen over F 2 m is 

E : y 2 +xy = x 3 +ax 2 +b. 

8. Output (SEED, a, b ). 

F.3.3.b. Elliptic curves over F p 

Input: A prime field size p. 

Output: A bit string SEED and field elements a, b e F p which define an elliptic curve over F p . 

Let t = [log 2 p~\, s = \_(t - 1) / 160 J, and h = t — 160 • 5. 

1. Choose an arbitrary bit string SEED of bit length at least 160 bits. Let g be the length of SEED in 
bits. 

2. Compute FI = SHA-l(SEED), and let c 0 denote the bit string of length h bits obtained by taking the 
h rightmost bits of H. 

3. Let Wo denote the bit string of length h bits obtained by setting the leftmost bit of c o to 0. (This 
ensures that r<p.) 

4. For i from 1 to s do: 

Compute W, = SHA-1((SEED + i ) mod 2 s ). 

5. Let W be the bit string obtained by the concatenation of W 0 , W h .... W, as follows: 

W= W 0 || Wi || ... || W s . 

6. Let w i, vv 2 , .... w r be the bits of W from leftmost to rightmost. Let r be the integer 

t 

r = Wi 2'“'. 

1= 1 

7. Choose integers a, b e F p such that r • b 2 = a 3 (mod p). (It is not necessary that a and b be chosen 
at random. For example, one may choose a = r and b = r.) 

8. If 4a 3 +27b 2 = 0 (mod p), then go to step 1. 

9. The elliptic curve chosen over F p is 

E : y 1 = x 3 +ax+b. 

10. Output (SEED, a, b ). 

F.3.4. Verifying that an Elliptic Curve was Generated at Random 

The technique specified in this section verifies that the defining parameters of an elliptic curve were indeed 
selected using the method specified in Section F.3.3. 

F.3.4.a. Elliptic curves over F 2 m 

Input: A bit string SEED and a field element b €E TV" 

Output: Acceptance or rejection of the input parameters. 

Let t = m, s = |_(f - 1) / 160 J, and h = t - 160 • s. 

1 . Compute H = SHA- 1 (SEED), and let b 0 denote the bit string of length h bits obtained by taking the 
h rightmost bits of H. 

2. For i from 1 to ,v do: 

Compute b, = SHA-1((SEED + i) mod 2 s ). 

3. Let b’be the field element obtained by the concatenation of b ih b u ...,b s as follows: 

b’=b 0 \\b x || ... || b s . 

4. If b = b’ then accept; otherwise reject. 
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F.3.4.b. Elliptic curves over F p 

Input: A bit string SEED and field elements a, bE F p 

Output: Acceptance or rejection of the input parameters. 

Let t = |"log 2 p \ s = |_(f - 1) / 160 J, and h = t- 160 -5. 

1 . Compute H = SHA- 1 (SEED) and let c 0 denote the bit string of length h bits obtained by taking the 
h rightmost bits of H. 

2. Let Wo denote the bit string of length h bits obtained by setting the leftmost bit of Co to 0. 

3. For i from 1 to s do: 

Compute Wi = SHA-1((SEED + i ) mod 2 s ). 

4. Let W’ be the bit string obtained by the concatenation of W 0 , Wi,..., W s as follows: 

W’= Wo || Wi||... || W,. 

5. Let wi, w 2 , . . . , w, be the bits of W from leftmost to rightmost. Let r ' he the integer 

i 

r’= 

;= l 

6. If r’ • b 2 = a 3 (mod p) then accept; otherwise reject. 


F.4. Pseudorandom Number Generation 

Any implementation of the ECDSA requires the ability to generate random or pseudorandom integers. Such 
numbers are used to derive a user’s private key, d, and a user’s per-message secret number k. These 
randomly or pseudorandomly generated integers are selected to be between 2 and n-2 inclusive, where n is 
a prime number. If pseudorandom numbers are desired, they shall be generated by the techniques given in 
this section. 

F.4.1. Algorithm Derived from FIPS 186 

The algorithm described in this section employs a one-way function G(t, c ), where t is 160 bits, c is b bits 
(160 < b < 512), and G(f, c) is 160 bits. One way to construct G is via the Secure Hash Algorithm (SHA-1), 
as defined in ANSI X9.30 Part 2. A second method for constructing G is to use the Data Encryption 
Algorithm (DEA) as specified in ANSI X9.32. The construction of G by these techniques is described in 
Sections F.4.1. a and F.4.1. b, respectively. 

In the algorithm specified below, a secret / 7 -bit seed-key XKEY is used. If G is constructed via SHA-1 as 
defined in Section F.4.1. a, then b shall be between 160 and 512. If DEA is used to construct G as defined in 
Section F.4.1. b, then b shall be equal to 160. The algorithm optionally allows the use of a user provided 
input. 

Input: A prime number n, positive integer /, and integer Z>(160 < b < 512). 

Output: / pseudorandom integers k\, k 2 , ... ,ki in the interval [1, n - 1], 

1. Let s = Llog 2 n\ + 1 and/= Ts /160~|. 

2. Choose a new, secret value for the seed-key, XKEY. (XKEY is of length b bits.) 

3. In hexadecimal notation let 

t= 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0. 


4. 


This is the initial value for H 0 || // || H 2 1| /7; || // 4 in SHA-1. 
For i from 1 to / do the following: 

4.1. For ) from 1 to/do the following: 


4.2. 

4.3. 


(a) 

(b) 

(c) 

(d) 


XSEED , j = optional user input. 

XV AL = (XKEY + XSEED, v ) mod 2 b . 
xj = G(t. XV AL). 

XKEY = (1 + XKEY + xj) mod 2 b . 


Set ki = ((xi II x 2 II II xj) mod ( n - 1)). 


If k, = 0, then set k t = n - 1 . 
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1. Output (ku k 2 , ... . ki). 

F.4.1.a. Constructing the Function G from the SHA-1 

G(t,c ) may be constructed using steps (a)-(e) in Section 3.3 of ANSI X9.30 Part 2. Before 
executing these steps, { Hj } and M\ must be initialized as follows: 

1. Initialize the {//,} by dividing the 160-bit value t into five 32-bit segments as follows: 

t = to II h II h II h II h. 

Then //, = r ; for j = 0 through 4. 

2. There will be only one message block. M t , which is initialized as follows: 

M, = c || 0 5l2 - b . 

(The first b bits of M contain c, and the remaining (512 -b) bits are set to zero.) 

Then steps (a) through (e) of Section 3.3 of ANSI X9.30 Part 2 are executed, and G(t,c ) is 
the 160-bit string represented by the five words: 

H 0 || Hi || H 2 1 | H 3 || H a 

at the end of step (e). 

F.4.1.b. Constructing the Function G from the DEA 

G(t , c) may be constructed using the DEA (Data Encryption Algorithm) as specified in ANSI X3.92. 

Let a © b denote the bitwise exclusive-or of bit strings a and b, and let a || b denote the concatenation of bit 
strings. If b\ is a 32-bit string, then bY denotes the 24 least significant bits of h\ . 

In the following, DEA K (A) represents ordinary DEA encryption of the 64-bit block A using the 56-bit 
key K. Now suppose t and c are each 160 bits. To compute G(t.c): 

Step 1: Write: 

t = t\ || t 2 || 1 3 1| U || t 5 
c = Ci || c 2 1 | c 3 1 | c 4 || c 5 . 

In the above, f, and c, are each 32 bits in length. 

Step 2: For i from 1 to 5 do: 

Xi = ti © c t . 

Step 3: For i from 1 to 5 do: 

b 1 = C((j+3) mo d 5) + 1 

b2 — ( ((i+2) mod 5) + 1 
a 1 = Xi 

c 2 — X(i moc j 5 ) + 1 © X((j+ 3) mo d 53+1 

y u || v ,; 2 = DEAi,y\\t, 2 (a\\\ a2) where y, | and y i2 are each 32 bits in length. 

Step 4: For i from 1 to 5 do: 

Zi = y,',l © y ( (i+l) mod 5)+1.2 © y«i+2) mod 5)4-1, 1. 

Step 5: Let G(t,c ) = zi II z 2 II Z 3 II z 4 II Zs- 

F.4.2 Algorithm from ANSI X9.1 7 

The technique in this section is from Appendix C of ANSI X9.17, “Financial Institution Key Management 
(Wholesale)”. 

Let ede*X(Y) represent the DEA multiple encryption of Y under the key *X. Let ' : K be a DEA key pair 
reserved only for the generation of pseudorandom numbers, let V be a 64-bit seed value which is also kept 
secret, and let © be the exclusive-or operator. Let DT be a date/time vector which is updated on each 
iteration. I is an intermediate value. A 64-bit vector R is generated as follows: 

I = ede * K(DT) 

R = ede * K(I © V) 

and a new V is generated by V = ede * K(R © /). 

Successive values of R may be concatenated to produce a pseudorandom number of the desired length. 
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Appendix G Informative Number-Theoretic Algorithms 

[Informative] 

G.l. Finite Fields and Modular Arithmetic 
G.1.1. Exponentiation in a Finite Field 

If a is a positive integer and g is an element of the field F q , then exponentiation is the process of computing 
g a . Exponentiation can be performed efficiently by the binary method outlined below. The algorithm is used 
in Sections G.l. 2 and G.l. 4. 

Input: A positive integer a , a field F q , and a field element g. 

Output: g a . 

1. Set e = a mod ( q - 1). If e = 0, then output 1. 

2. Let e = e,e r _\...e\e 0 be the binary representation of <?, where the most significant bit e, of e is 1. 

3. Set x = g. 

4. For i from r - 1 downto 0 do 

4.1. Setx = x 2 . 

4.2. If e, = 1, then set x = gx. 

5. Output x. 

There are several variations of this method which can be used to speed up the computations. One such 
method which requires some precomputations is described in [21]. See also Knuth [21, pp. 441-466]. 

G.l. 2. Inversion in a Finite Field 

If g ^ 0 is an element of the field F q , then the inverse g' 1 is the field element c such that gc= 1. The inverse 
can be found efficiently by exponentiation since c = g q ~ 2 . Note that if q is prime and g is an integer 
satisfying 1 < g < q - 1, then g" 1 is the integer c, l < g < q - l, such that gc = 1 (mod q). The algorithm is 
used in Sections 5.3.3 and 5.4.2. 

Input: A field F q , and a non-zero element g e F q . 

Output: The inverse g' 1 . 

1. Compute c = g q ~ 2 (see Section G.1.1). 

2. Output c. 

An even more efficient method is the extended Euclidean Algorithm [21, p. 325]. 

G.l. 3. Generating Lucas Sequences 

Let P and Q be nonzero integers. The Lucas sequences U k and V k for P, Q are defined by 
U 0 = 0, U = 1, and U k = PU kA - QU k _ 2 for k> 2. 

Vo = 2,V t = P, and V k = PV kA - QV k . 2 for k> 2. 

This recursion is adequate for computing U k and VjTor small values of k. The following algorithm can be 
used to efficiently compute U k and V k modulo an odd prime p for large values of k. The algorithm is used in 
Section G.1.4. 

Input: An odd prime p, integers P and Q, and a positive integer k. 

Output: U k mod p and V k mod p 

1. Set A = P 2 - 4Q. 

2. Let k = k r k rA ...k\ k Q be the binary representation of k, where the leftmost bit k r of A' is 1. 

3. Set U = l, V = P. 

4. For i from r - 1 downto 0 do 

(V 2 +At / 2 ) 

4.1. Set (U,V) = ( UV mod p, 2 mod p). 

( PU+V ) ( PV+AU ) 

4.2. If k, = 1 then set (U, V) = ( 2 mod p, 2 moc l P)- 

5. Output U and V. 
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G.1.4. Finding Square Roots Modulo a Prime 

Let p be an odd prime, and let g be an integer with 0 < g < p. A square root (mod p) of g is an integer y with 
0 < v < p and 

y 2 = g(mod/;>). 

If g = 0, then there is one square root (mod p), namely y = 0. If g ^ 0, then g has either 0 or 2 square roots 
(mod p). If y is one square root, then the other is p - y. 

The following algorithm determine whether g has square roots (mod p) and, if so, compute one. The 
algorithm is used in Sections 4. 4. l.a and G.3.1. 

Input: An odd prime p, and an integer g with 0 < g < p. 

Output: A square root (mod p) of g if one exists; otherwise, the message “no square roots exist.” 

ALGORITHM 1 : for p = 3 (mod 4), that is p = An + 3 for some positive integer u. 

1 . Compute y = g" +1 (mod p) via Section G. 1. 1. 

2. Compute z = y 2 mod p. 

3. If z = g, then output y. Otherwise output the message “no square roots exist.” 

ALGORITHM 2: for p = 5 (mod 8), that is p = 8 u + 5 for some positive integer u. 

1 . Compute y = (2 g) u mod p via Section G. 1. 1. 

2. Compute i = 2gf mod p. 

3. Compute y = gy( i - 1) mod p. 

4. Compute z = y 2 mod p. 

5. If z = g, then output y. Otherwise output the message “no square roots exist.” 

ALGORITHM 3: for p = 1 (mod 4), that is p = 4u + 1 for some positive integer u. 

1. Set Q g— g. 

2. Generate random P with 0 <P <p. 

3. Using Section G.1.3, compute the Lucas sequence elements 

U = U ik+i mod p, V = Vik+i mod p 

4. If l /2 = 4 Q (mod p) then output y = V/2 mod p and stop. 

5. If U ±1 (mod p) then output the message “no square roots exist” and stop. 

6. Go to Step 2. 

G.1.5. Trace and Half-Trace Functions 

If a is an element of F 2 m, the trace of a is: 

j ^2 ~m- 1 

Tr( a) = a + a’ + or + ... + a 

The value of 7V(a) is 0 for half the elements of F 2 m, and 1 for the other half. 

The trace can be computed as follows. The methods are used in Section G.1.6. 

Normal basis representation used for elements of F 2 m\ 

If a has representation (ctoa i...a,„_i), then 
7V(a) = a 0 © oti © ... © a mA . 

Polynomial basis representation used for elements of F 2 m. 

1. Set T = a. 

2. For i from 1 to m - 1 do 

2.1. T=T 2 + a. 

3. Output T. 

If m is odd, the half-trace of a is 
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2 4 m - 1 

a + a 2 + a 2 + ... + a 2 . 

If F 2 m is represented by a polynomial basis, the half-trace can be computed efficiently as follows. The 
method is used in Section G.1.6. 

1. Set T = a. 

2. For i from 1 to (m - l)/2 do 

2.1. T=T 2 . 

2.2. T=T 2 + a. 

3. Output T. 

G.1.6. Solving Quadratic Equations over F 2 m 

If p is an element of F 2 m, then the equation: 
z 2 + z = p 

has 2-2 T solutions over F 2 m , where T=Tr (p). Thus, there are either 0 or 2 solutions. 

If P = 0, then the solutions are 0 and 1. If P ^ 0 and z is a solution, then the other solution is z + 1. 

The following algorithms determine whether a solution z exists for a given p, and if so, computes one. The 
algorithms are used in point compression (see Section 4.4.1.b) and in Section G.3.1. 

Input: A field F 2 m along with a basis for representing its elements; and an element p^O. 

Output: An element z for which z 2 + z = P if any exist; otherwise the message “no solutions exist”. 

ALGORITHM 1: for normal basis representation. 

1. Let (P 0 pi...p„,_i) be the representation of p. 

2. Set zo = 0. 

3. For i from 1 to m- 1 do 

3.1. Set Zi = Zri © P/. 

4. Set z = (zoZi—z m -i). 

5 . Compute y = z 2 + z. 

6. If y = p then output z. Otherwise output the message “no solutions exist”. 

ALGORITHM 2: for polynomial basis representation, with m odd. 

1 . Compute z = half-trace of P via Section G. 1 .5 . 

2. Compute y = z + z. 

3. If y = p then output z. Otherwise output the message “no solutions exist”. 

ALGORITHM 3: works in any polynomial basis. 

1 . Choose a random x e F 2 m 

2. Set z = 0 and w = p. 

3. For i from 1 to m - 1 do 

3.1. Set z = z 2 + w 2 X. 

3.2. Set w = w 2 + p. 

4. If w ^ 0 then output the message “no solutions exist” and stop. 

5 . Compute y = z + z. 

6. If y = 0 then go to Step 1 . 

7. Output z. 
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G.1.7. Checking the Order of an Integer Modulo a Prime 

Let p be a prime and let g satisfy 1 <g<p. The order of g modulo p is the smallest positive integer k such 

that g = 1 (mod p). The following algorithm tests whether or not g has order k modulo p. The algorithm is 

used in Section G.1.8. 

Input: A prime p, a positive integer k, and an integer g with 1 < g < p. 

Output: "True" if g has order k modulo p, and "False" otherwise. 

1 . Determine the prime divisors of k. 

2. If g k 1 (mod p), then output "False" and stop. 

3. For each prime / dividing k do 

3.1. If g k/, = 1 (mod /;), then output "False" and stop. 

4. Output "True". 

G.1.8. Checking the Existence of an Optimal Normal Basis 

The following algorithm determines whether an optimal normal basis of Type I or Type II (or both) exists 
for F 2 m. 

Input: A positive integer m > 1. 

Output: A message "Type I only", "Type II only", "Both Types", or "Neither Type". 

1 . Set 7) = "False" and 73 = "False". 

2. If m = 2 or 4 (mod 8) and p = m + 1 is prime, then 

2.1. Test (using the technique defined in Section G.1.7) whether 2 has order 
p - 1 modulo p. Let 7) be the output of this test ("True" or "False"). 

3. If m = 1 or 2 (mod 4) and p = 2m + 1 is prime, then 

3.1. Test (using the technique defined in Section G.1.7) whether 2 has order p - 1 modulo p. 
Let T 2 be the output of this test ("True" or "False"). 

4. If m = 3 (mod 4) and p = 2m + 1 is prime, then: 

4.1. Test (using the technique defined in Section G.1.7) whether 2 has order 
(p - l)/2 modulo p. Let T 2 be the output of this test ("True" or "False"). 

5. If Ti ="True" and T 2 = "True" then output "Both Types". 

5.1. If Ti = True" and T 2 = "False" then output "Type I only". 

5.2. If Ti ="False" and T 2 = "True" then output "Type II only". 

5.3. If T\ ="False" and 73= "False" then output "Neither Type". 

G.2. Polynomials over a Finite Field 

G.2.1. GCD’s over a Finite Field 

If /(f) and g(t) it 0 are two polynomials with coefficients in the field F q , then there is a unique monic 
polynomial d(t) of largest degree which divides both /(f) and git). The polynomial dit) is called the greatest 
common divisor or gcd of /(f) and git). The following algorithm (the Euclidean algorithm) computes the gcd 
of two polynomials. The algorithm is used in Section G.2.2. 

Input: A finite field F a and two polynomials fit), g(t) ± 0 over F a . 

Output: dit) = gcd(/(f) , git)). 

1. Set ait) = fit), bit) = git). 

2. While b(t) it 0 

2.1. Set c(f) = the remainder when ait) is divided by hit). 

2.2. Set a(t) = b(t). 

2.3. Set b{t) = cit). 

3. Let a be the leading coefficient of ait) and output a ' ait). 
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G.2.2. Finding a Root in F 2 m of an Irreducible Binary Polynomial 

If fit) is an irreducible polynomial (mod 2) of degree m, then /(f) has m distinct roots in the field F 2 m. A 
random root can be found efficiently using the following algorithm. The algorithm is used in Section G. 2. 3. 
Input: An irreducible polynomial fit) of degree m over F 2 , and a field F 2 m. 

Output: A random root of fit) in F 2 m. 

1. Set g(t) =fif). 

2. While deg(g) > 1 

2.1. Choose random u e F 2 m. 

2.2. Set c(t) = ut. 

2.3. For i from 1 to m - 1 do 

2.3.1. c(f) = (c(f) 2 + ut) mod g(t). 

2.4. Set h{t) = gcd(c(f), g{tj). 

2.5. If h(t) is constant or deg(g) = deg(/z), then go to step 2.1. 

2.6. If 2deg(/z) > deg(g), then set g(t ) = g(t) / fit): else g(t ) = fit). 

3. Output g(0). 

G.2.3. Change of Basis 

Given a field F 2 m and two (polynomial or normal) bases B\ and B, for the field over F 2 , the following 
algorithm allows conversion between bases B j and B 2 . 

1 . Let/frj be the field polynomial of B 2 . That is, 

1.1. If B 2 is a polynomial basis, let fit) be the (irreducible) reduction polynomial of degree m 
over F 2 . 

1.2. If B 2 is a Type I optimal normal basis (see Section G. 1 .8), let: 

fit) = t m +t ml +t m - 2 +...+ t+l. 

1.3. If B 2 is a Type II optimal normal basis (see Section G.1.8), let: 

At) = 

0< j<m 
m-jn m+ j 

where the notation a 7Z b means that in the binary representations 

a = J>2\&=2> ( 2\ 

we have m, < w, for all i. (These polynomials can also be calculated using the recursion 
from Section 4. 1.4. a.) 

2. Let y be a root of fit) computed with respect to B\. (yean be computed using the technique defined 
in Section G.2.2.) 


Let r be the matrix: 




’ yo.o 

Yo.i 

A 

Y 0,m— 1 

r = 

y t.o 

Yu 

A 

Y 1,771 — 1 


M 

M 

O 

M 


Y m— 1,0 

Y m— 1,1 

K 

Y 


where the entries y , are defined as follows: 
3.1. If B 2 is a polynomial basis, then: 

i = (y o,o y o.i ■■■ y o,m-i) 
y=(yi,oyu y i, m -i) 
r = (y2.oy2,i -y2, m -i) 
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y" 1-1 = (y m-i,o y m-i,i -y m -i, m -i) 

with respect to B x . (The entries y j j are computed by repeated multiplication by y .) 
3.2. If B 2 is an optimal normal basis, then: 

Y=(Yo,oYo,i ...yo,m-i) 
y 2 = (y i.o yi,i ■■■ y i,m-i) 
y 4 = (Y 2 ,oY 2,1 ... Y 2 ,m-l) 


T ~ (Yra-1,0 Ym-1,1 ." Ym-l,m-l) 

with respect to B x . (The entries y , are computed by repeated squaring of y .) 

4. If an element has representation ( p ,,p |...p with respect to B 2 , then its representation with 

respect to B x is 

(CC oCt 1-..0C u(-i) — ( P oP l-.-P /??- 1) I • 

If an element has representation (aoai...a„,_i) with respect to B\, then its representation with respect 
to B 2 is 

(P oP l-.-P m-l) — (Ot i-.-CC m _i) r 

Example : Suppose that B ] is the polynomial basis (mod t 4 + t +1), and B 2 is the Type I optimal normal 
basis for F 2 a. 

Then: /(f) = t 4 + f’ + t 2 + t + 1, and a root is given by y = (1100) with respect to B\. Then: 
y= (1100) 
y 2 = (1111) 
y 4 = (1010) 
y 8 = (1000), 

so that: 

'1 1 0 O' 

1111 
r= 1 0 1 0 
1 0 0 0_ 

and: 

0 0 0 1 ' 

10 0 1 
0 0 11' 

1111 

If X = ( 1001) with respect to B 2 , then its representation with respect to B t is: 

(0100) = (1001) r. 

If X = ( 101 1) with respect to B x , then its representation with respect to B 2 is: 
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(lioi) = (ioii) r 

G.2.4. Checking Polynomials over F 2 for Irreducibility 

If fix) is a polynomial with coefficients in the field F 2 , then /(x) can be tested efficiently for irreducibility 
using the following algorithm. The algorithm is used in Section 5.1.2.b. 

Input: A polynomial /(x) with coefficients in F 2 . 

Output: The message "True" if /(x) is irreducible over F 2 , the message "False" otherwise. 

1. Set d = degree of f(x). 

2. Set u(x) = x. 

3. For i from 1 to \_d/2] do 

3.1. Set u(x) = u(x) 2 modf(x). 

3.2. Set g(x) = gcd(«(x) + x,f(x)). 

3.3. If g(x) 1 then output "False" and stop. 

4. Output "True". 


G.3. Elliptic Curve Algorithms 
G.3.1. Finding a Point on an Elliptic Curve 

The following algorithms provide an efficient method for finding a random point (other than 6) on a given 
elliptic curve over a finite field. These algorithms are used in Sections F.3.1 and F.3.2. 

Case I: Curves over F p 

Input: A prime p and the parameters a and b of an elliptic curve E over F p . 

Output: A randomly generated point (other than 0) on E. 

1 . Choose a random integer x with 0 < x < p. 

2. Set a = x 3 + ax + b mod p. 

3. If a = 0 then output (x, 0) and stop. 

4. Apply the appropriate algorithm from Section G. 1 .4 to look for a square root (mod p) of a. 

5. If the output of Step 4 is “no square roots exist,” then go to Step 1. Otherwise the output of Step 4 
is an integer y with 0 <y <p such that y 2 = a (mod p). 

6. Output (x, y). 


Case II: Curves over F 2 m. 

Input: A field F 2 m and the parameters a and b of an elliptic curve E over F 2 m. 

Output: A randomly generated point (other than 6 ) on E. 

1 . Choose a random element x in F 2 m. 

m - 1 

2. If x = 0, then output (0, b 2 ) and stop. 

3. Set a = x 3 + ax 2 + b. 

4. If a = 0, then output (x, 0) and stop. 

5. Set(3=x" 2 a. 

6. Apply the appropriate algorithm from Section G.1.6 to look for an element z for which z + z = p. 

7. If the output of Step 6 is “no solutions exist,” then go to Step 1. Otherwise the output of Step 6 is a 
solution z. 


8. Set >’ = xz,. 

9. Output (x, y). 
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G.3.2. Computing a Multiple of an Elliptic Curve Point 

If £ is a positive integer and P is an elliptic curve point, then kP is the point obtained by adding together k 
copies of P. This computation can be performed efficiently by the addition-subtraction method outlined 
below. These algorithms are used, for example, in Sections 5.1.1, 5.1.2, 5.3, and 5.4. 

Input: A positive integer k and an elliptic curve point P. 

Output: The elliptic curve point kP. 

1. Set e = k mod n, where n is the order of P. (If n is unknown, then set e = k instead.) 

2. Let h r h,._i ...hi h Q be the binary representation of 3e, where the leftmost bit h r is 1. 


3. 

Let e, e, 

-\...e\ eo be the binary representation of i 

4. 

Set Q = 

P. 

5. 

For i from r - 1 down to 1 do 


5.1. 

Set Q = 2 Q. 


5.2. 

If /;, = 1 and e,= 0, then set Q = Q + P. 


5.3. 

If /;, = 0 and e,= 1, then set Q = Q- P. 

6. 

Output Q. 


Note: To subtract the point (x, y ), just add the point (x, - y ) (for the field F p ) or (x, x + y) (for the field 

F 2 m). 

There are several variations of this method which can be used to speed up the computations. One such 
method which requires some precomputations is described in [10], See also Knuth [21, pages 441-466]. 
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Appendix H Examples of ECDSA and Sample Curves 

[Informative] 

This appendix contains 5 parts. 

• Section H.l presents examples of data conversion methods. 

t Section H.2 presents 2 examples of ECDSA over the field F 2 ™. 3 

t Section H.3 presents 2 examples of ECDSA over the field F p , where p is odd prime; 

t Section H.4 presents sample elliptic curves over the field F 2 m with system parameters for m = 163, 176, 

191, 208, 239, 272, 304, 359, 368 and 431. 

t Section H.5 presents sample elliptic curves over field F p with system parameters for 192 -bit, 239-bit, and 

256-bit primes. 

The sample curves in Sections H.4 and H.5 may be used in an implementation of this Standard. 

H.l. Examples of Data Conversion Methods 

The following are examples of the data conversion techniques that shall be used in this Standard (See Figure 1). 

Example of Integer-to-Octet-String Conversion. (See Section 4.2.1.) 

Input: v = 123456789, k= 4 
Output: M= 075BCD15 

Example of Octet-String-to-Integer Conversion. (See Section 4.2.2.) 

Input: M= 0003ABF1CD 
Output: x = 61600205 

Example of Field-Element-to-Octet-String Conversion. (See Section 4.3.1.) 

(i) Input: a = 94311, q =104729 (an odd prime). 

Output: S = 017067 (1=3). 

(ii) Input: a = 11011011011101111001101111110110111110001 , q=2*\ 

Output: S = 01B6EF37EDF1 (1=6). 

Example of Octet-String-to-Field-Element Conversion. (See Section 4.3.2.) 


(i) Input: 5 = 01E74E (1=3), q = 224737 (an odd prime). 
Output: a = 124750. 

(ii) Input: 5= 0117B2939ACC (1=6), q= 2 41 . 

Output: a= 10001011110110010100100111001101011001100. 


Example of Field-Element-to-Integer Conversion. (See Section 4.3.3.) 


(i) Input: a = 136567, q = 2871 17, (an odd prime). 

Output: x = 136567. 

(ii) Input: a = 1 1 1 1 1 1 1 100100001001 1 1 100001 10011110101110, 
Output: x = 2191548508078. 


0 4 

q=l 


3 The curves in Sections H.4.1, H.4. 3, H.4. 5, H.4. 8 and H.4.10 were generated using a software package by R. 
Lercier and F. Morain that is described in [25], 
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Example of Point-to-Octet-String Conversion. (See Section 4.4.2.a.) 


(i) Input: 

p = 627710173538668076383578942320766641608390870039032496 

1279 


The curve is E : y 2 =x 3 +ax+b where 

a = 627710173538668076383578942320766641608390870039032496 

1276 

b = 245515554600894381774029391519745178476910805816119123 

8065 


The point is P=(x b y t ), where 

Xi = 602046282375688656758213480587526111916698976636884684 

818 


y i = 174050332293622031404857552280219410364023488927386650 

641 

Output: (oompressedfomi) 

PO = 03 188DA80E B03090F6 7CBF20EB 43A18800 

82FF1012 


Output (uneompressedfomi) 


PO = 04 

82FF1012 
1E794811 


188DA80E 

07192B95 


B03090F6 

FFC8DA78 


7CBF20EB 

631011ED 


43A18800 

6B24CDD5 


Output (hybrid fomi) 

PO = 07 188DA80E B03090F6 7CBF20EB 43A18800 

82FF1012 07192B95 FFC8DA78 631011ED 6B24CDD5 

1E794811 


(ii) Input: g=2 191 

The field f 7 1 9 1 is generated by the irreducible polynomial 

f = 80000000 00000000 00000000 00000000 00000000 

The curve is E: y 2 +xy=x 3 +ax 2 +b over F 2 ' 9 1 , where 


a = 

2866537B 

67675263 

6A68F565 

54E12640 

276B649E 

b = 

2E45EF57 

1F00786F 

67B0081B 

9495A3D9 

5462F5DE 


The point is P=(x b Vi), where 

x 1 = 110110101100111101101011111000101000100011001000000110 

111110011100010011110010100110011101011110110010000110 
101001110000110110100100010011011111110010110010000100 
1010111000011010101000001101 
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73F977A1 


F4FF0AFD 

73F977A1 


00000201 

F7526267 

0AA185EC 
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y 1 = 111011001011011111001110011010000110011101100111111100 

101011110001100110010100100110010111001110000111010100 
010010001011100101000100100000110001110101000001110111 
11001100000000001100011111011 


Output (oompressedtbmi) 


PO = 

02 

4AE1AA0D 

36B3DAF8 

A23206F9 

C4F299D7 

B21A9C36 

9137F2C8 

Output: (uneompressedfomi) 





PO = 

04 

4AE1AA0D 

F98018FB 

36B3DAF8 

765BE734 

A23206F9 

33B3F95E 

C4F299D7 

332932E7 

B21A9C36 

0EA245CA 

9137F2C8 

2418EA0E 

Output: (hybrid) 






PO = 

06 

4AE1AA0D 

36B3DAF8 

765BE734 

A23206F9 

33B3F95E 

C4F299D7 

332932E7 

B21A9C36 

0EA245CA 

9137F2C8 

2418EA0E 


F98018FB 

Example of Octet-String-to-Point Conversion. (See Section 4.4.2.b.) 


(i) Input: 

p = 627710173538668076383578942320766641608390870039032496 

1279 

The curve is E : y =x 3 +ax+b where 

a = 627710173538668076383578942320766641608390870039032496 

1276 

b = 500540239228939020355206947077111708486189930780145699 

0547 

The octet string is 

03 FiFiA 2BAF,7 E1497842 F2DE7769 CFE9C989 C072AD69 6F48034A 

Output: The point is P=(x y y{), where 

Xi = 585132946672357462312202397807238119109556708125177439 

9306 

y x = 248770162588122869126980888053509393860107091126477828 

0469 


(ii) Input: g=2 191 

The field f 7 1 9 1 is generated by the irreducible polynomial 

f = 80000000 00000000 00000000 00000000 00000000 00000201 

The curve is E: y 2 +xy=x 3 +ax~+b over F 2 l 9 1 , where 
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a = 40102877 

4D7777C7 

B7666D13 

66EA4320 

71274F89 

FF01E718 

b = 0620048D 

28BCBD03 

B6249C99 

182B7C8C 

D19700C3 

62C46A01 

The octet string is 

PO = 02 

3809B2B7 

C9E3BF10 

CC1B28CC 

5A87926A 

AD83FD28 

789E81E2 


Output: The point is P=(x h y \ ) , where 

X! = 111000000010011011001010110111110011000001101100101000 

110011000101101010000111100100100110101010101101100000 
111111110100101000011110001001111010000001111000101100 
1001111000111011111100010000 

y ± = 101110100001101000011100001100110001001101101000101001 

111001111011011111100000001011101100000110110010010000 
100111010001111100001110011110011011110101110110001000 
011011111010110011010001010 

H.2. Examples of ECDSA over the Field F 2 m 
H.2.1. An Example With m- 191 (trinomial basis) 

a. Elliptic Curve Parameter Setup 

1. The field F 2 1 9 is generated by the irreducible polynomial 

f = 80000000 00000000 00000000 00000000 00000000 00000201 

2. The curve is E : y 2 +xy=x 3 +ax 2 +b over F 2 l 9 1 , where 

seed = 4E13CA54 2744D696 E6768756 1517552F 279A8C84 

a = 2866537B 67675263 6A68F565 54E12640 276B649E F7526267 

b = 2E45EF57 1F00786F 67B0081B 9495A3D9 5462F5DE 0AA185EC 

3. Generating point P (without point compression) 

04 36B3DAF8 A23206F9 C4F299D7 B21A9C36 9137F2C8 

4AE1AA0D 765BE734 33B3F95E 332932E7 0EA245CA 2418EA0E 

F98018FB 

P has prime order 

n = 156927543384667019095894735580335045883120559545163053 

3029 

h = 2 

b. Key Generation 

d = 127555219111321230001203043918714616464614664646674949 

4799 

Q = dP = ( xq , yo) (without point compression) 

04 5DE37E75 6BD55D72 E3768CB3 96FFEB96 2614DEA4 

CE28A2E7 55C0E0E0 2F5FB132 CAF416EF 85B229BB B8E13520 

03125BA1 
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c. Signature Generation 

M = “abc” 

1. Message digesting 

SHA-l is applied to M to get 

e = SHA-l (M) = 968236873715988614170569073515315707566766479517 

2. Elliptic curve computation 

a. select a k in the interval [2,n-2\ 

k = 154272556521652398578923695626526526523567581194940404 

0041 


b. 

compute R = kP = (x h 

■ y\) 






*i = 

438E5A11 

FB55E4C6 

5471DCD4 

9E266142 

A3BDF2BF 

9D5772D5 


yi = 

2AD603A0 

5BD1D177 

649F9167 

E6F475B7 

E2FF590C 

85AF15DA 


c. convert X\ to an integer Xi 

X\ = 165646981701154173431466964073025487882844318698669706 

1077 


d. set r = Xi mod n. 

r = 87194383164871543355722284926904419997237591535066528048 

e. r# 0, OK. 

3. Modular computation 

a. compute s = k'\e + dr) mod n. 

s = 308992691965804947361541664549085895292153777025772063 

598 

b. s * 0. OK. 

4. Signature formatting 

The signature is the two integers r and ,v. 

r = 87194383164871543355722284926904419997237591535066528048 

s = 308992691965804947361541664549085895292153777025772063 

598 

d. Signature verification 

1. Message digesting 

SHA-l is applied to M' to get 

e=SHA-l (M')= 968236873715988614170569073515315707566766479517 

2. Elliptic curve computation 

a. r' is in interval [1, n-1], OK 

b. s' is in interval [1, n-1], OK. 
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c. compute c = (s mod n 

c = 952933666850866331568782284754801289889992082635386177 

703 

d. compute u x = ec mod n and 1 i 2 = r'c mod n 

Ux = 124888640715470785402243451608406250330179237436099440 

0066 

u 2 = 52701738097753401216822246601619984961197114165275346 

4154 

e. compute (xi, yi) = UiP+UoQ 


UxP = 

1A045B0C 

26AF1735 

9163E9B2 

BF1AA57C 

5475C320 

78ABE159 


53ECA58F 

AE7A4958 

783E8173 

CF1CA173 

EAC47049 

DCA02345 

u 2 Q = 

015CF19F 

E8485BED 

8520CA06 

BD7FA967 

A2CE0B30 

4FFCF0F5 

314770FA 

u { P + u 2 Q = (x h >-,) 

4484962A 

EC673905 

4A6652BC 

07607D93 

CAC79921 

^i = 

438E5A11 

FB55E4C6 

5471DCD4 

9E266142 

A3BDF2BF 

9D5772D5 

yi = 

2AD603A0 

5BD1D177 

649F9167 

E6F475B7 

E2FF590C 

85AF15DA 


3. Signature check 

a. convert xj to an integer Xi 

Xi = 165646981701154173431466964073025487882844318698669706 

1077 

b. compute v = Xi mod n. 

v = 87194383164871543355722284926904419997237591535066528048 

c. v=r'. OK 

H.2.2. An Example With m = 239 (trinomial basis) 

a. Elliptic Curve Parameter Setup 

1. The field F 2 23 9 is generated by the irreducible polynomial 

f = 8000 00000000 00000000 00000000 00000000 00000000 

00000010 00000001 

2. The curve is E : y 2 +xy=x 3 +ax 2 +b over F 2 23 9 . where 


seed = 

D34B9A4D 

696E6768 

75615175 

CA71B920 

BFEFB05D 


a = 

3201 

87757812 

0857077C 

5778AC76 

5431123A 

46B80890 

6756F543 

423E8D27 

b = 

7904 

1FC383C4 

08F2EEDA 

22AA8C16 

F392B012 

EDEFB339 

2F30F432 

7C0CA3F3 


3. Generating point P (without point compression) 
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04 57927098 FA932E7C 0A96D3FD 5B706EF7 E5F5C156 

E16B7E7C 86038552 E91D61D8 EE5077C3 3FECF6F1 A16B268D 

E469C3C7 744EA9A9 71649FC7 A9616305 

P has prime order 

n = 220855883097298041197912187592864814557886993776713230 

936715041207411783 

h = 4 

b. Key Generation 

d = 145642755521911534651321230007534120304391871461646461 

466464667494947990 

Q = dP = ( xq , Vq) (without point compression) 

04 5894609C CECF9A92 533F630D E713A958 E96C97CC 

B8F5ABB5 A688A238 DEED6DC2 D9D0C94E BFB7D526 BA6A6176 

4175B99C B6011E20 47F9F067 293F57F5 

c. Signature Generation 

M = “abc” 

1. Message digesting 

SHA-l is applied to M to get 

e = SHA-l (M) = 968236873715988614170569073515315707566766479517 

2. Elliptic curve computation 

a. select a k in the interval [2, n-2] 

k = 171278725565216523967285789236956265265265235675811949 

404040041670216363 

b. compute R = kP = (x\, yi) 

Xl= 6321 0D71EF6C 10157C0D 1053DFF9 3EB8F028 1E3F9DA2 

DEB377A8 1BDAE8D5 

yi = 5EAF D217370E 12036519 CAD381A1 FC38234F 61870DB2 

2C1E410A C1F183F0 

c. convert X\ to an integer Xi 

Xi = 684163982502313735578754902817629056302479132816981482 

452601000544626901 

d. set r = Xi mod n. 

r = 215963332104196119850183400390346126288181514868417896 

42455876922391552 

e. r ± 0, OK. 

3. Modular computation 

a. compute s = k' l (e + dr) mod n. 

s = 197030374000731686738334997654997227052849804072198819 
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102649413465737174 

b. s * 0, OK. 

4. Signature formatting 

The signature is the two integers r and s. 

r = 215963332104196119850183400390346126288181514868417896 

42455876922391552 

s = 197030374000731686738334997654997227052849804072198819 

102649413465737174 

d. Signature verification 

1. Message digesting 

SHA-l is applied to M' to get 

e=SHA-l (M') =968236873715988614170569073515315707566766479517 

Elliptic curve computation 

r' is in interval [1, n-1], OK 
s' is in interval [1, n- 1], OK. 
compute c=(s' )'* mod n 

c = 431396620921664668890077637965697612042893607943599260 

03383145535744433 

compute U\ = ec mod n and u 2 = r’ c mod n 

Ui = 105375096144033333985559550644017212889091653305446724 

555949472922658998 

u 2 = 215828469521640156896840216715465581571744240077746044 

580128914744769962 

e. compute (x h = iiiP+UjQ 


UiP = 

12C9 

00F84CA8 

F6F4C153 

C5C89FCA 

014AD6E5 

04B3036B 

B47FFD7B 

D42B820A 


78EA 

DE80774C 

1205C486 

A4C23D05 

3D0CA5DE 

16FF6324 

51CAA41C 

EE66B628 

u 2 Q = 

5C9B 

426551DB 

A4416EAD 

E4C43157 

A45057F6 

4ADF29FE 

B2A6C8D5 

7546CEA5 


39B0 

309E58BC 

51282C27 

F5030C06 

D6A55E19 

CCEDA153 

7C02D812 

43E65DF8 

U\P + i/2 Q = {X\, >’l) 

Xi = 6321 

DEB377A8 

0D71EF6C 

1BDAE8D5 

10157C0D 

1053DFF9 

3EB8F028 

1E3F9DA2 

yi = 

5EAF 

2C1E410A 

D217370E 

C1F183F0 

12036519 

CAD381A1 

FC38234F 

61870DB2 


2 . 

a. 

b. 

c. 


d. 
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3. Signature check 

a. convert X\ to an integer Xi 

Xi = 684163982502313735578754902817629056302479132816981482 

452601000544626901 

b. compute v = Xi mod n. 

v = 215963332104196119850183400390346126288181514868417896 

42455876922391552 

c. v = r' . OK 

H.3. Examples of ECDSA over the Field F p 
H.3.1. An Example With a 192-bit Prime p 

a. Elliptic Curve Parameter Setup 

1 . The field F p is generated by the prime 

p = 627710173538668076383578942320766641608390870039032496 

1279 

2. The curve is E : y 2 = x+ax+b over F , where 

D 7 


seed = 

3045AE6F 

C8422F64 

ED579528 

D38120EA 

E12196D5 


r = 

3099D2BB 

BFCB2538 

542DCD5F 

B078B6EF 

5F3D6FE2 

C745DE65 

a = 

FFFFFFFF 

FFFFFFFF 

FFFFFFFF 

FFFFFFFE 

FFFFFFFF 

FFFFFFFC 

b = 

64210519 

E59C80E7 

0FA7E9AB 

72243049 

FEB8DEEC 

C146B9B1 

Generating point P (with point compression) 

03 188DA80E B03090F6 

7CBF20EB 

43A18800 

F4FF0AFD 


82FF1012 

P has prime order 

n = 627710173538668076383578942317605901376719477318284228 

4081 

h = 1 

b. Key Generation 

d = 651056770906015076056810763456358567190100156695615665 

659 

Q = dP = (xq, )>q) (with point compression) 

02 62B12D60 690CDCF3 30BABAB6 E69763B4 71F994DD 

702D16A5 

c. Signature Generation 

M = “abc” 

1. Message digesting 

SHA-l is applied to M to get 
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e = SHA-1 (M)= 968236873715988614170569073515315707566766479517 

2. Elliptic curve computation 

a. select a k in the interval [2, n-2] 

k = 614050706706500106306506556566740556000616155656566565 

6654 


compute R = kP = ( x h 

■ y\) 





= 

88505238 

0FF147B7 

34C330C4 

3D39B2C4 

A89F29B0 

F749FEAD 

Yi = 

9CF9FA1C 

BEFEFB91 

7747A3BB 

29C072B9 

289C2547 

884FD835 


c. convert X\ to an integer X\ 

X\ = 334240353640598172939348833469460041559688182686935167 

7613 

d. set r = X\ mod n. 

r = 334240353640598172939348833469460041559688182686935167 

7613 

e. r# 0, OK. 

3. Modular computation 

a. compute s = k~\e + dr) mod n. 

s = 573582232888815525468389499789757195156855364289202998 

2342 

b. s A 0. OK. 

4. Signature formatting 

The signature is the two integers r and s. 

r = 334240353640598172939348833469460041559688182686935167 

7613 

s = 573582232888815525468389499789757195156855364289202998 

2342 

d. Signature verification 

1. Message digesting 

SHA-l is applied to M' to get 

e=SHA-l (MO =968236873715988614170569073515315707566766479517 

2. Elliptic curve computation 

a. r' is in interval [1, n- 1], OK 

b. s ' is in interval [1, n-Y\, OK. 

c. compute c = (i ')'* mod n 

c = 325096440447252682513051649045234621774918970404962904 
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2861 

d. compute «i = ec mod n and u 2 = r'c mod n 

Uj = 256369740918943418519473613457973101536649249639218976 

0599 

u 2 = 626664381334861796718647771023578584913640632333878222 

0568 

e. compute (x b yO = (/[P+MjS 


U1 p = 

DD9734E5 

159253EB 

0B09A049 

2E12CBA8 

7084C11B 

AC674D82 


804F5FDC 

638946FA 

6660E851 

E10542C1 

134D4348 

2956B50E 

u 2 Q = 

48893A3F 

98EBA955 

7660BE10 

14BBD7D2 

4232 6A1C 

DA7CF246 

114A3118 

U\P + i/ 2 Q =(xy yi) 

867D4032 

247416C4 

A2BA3E83 

076B6F8C 

B666667A 

Xi = 

88505238 

0FF147B7 

34C330C4 

3D39B2C4 

A89F29B0 

F749FEAD 

yi = 

9CF9FA1C 

BEFEFB91 

7747A3BB 

29C072B9 

289C2547 

884FD835 


3. Signature check 

a. convert X\ to an integer X\ 

X\ = 334240353640598172939348833469460041559688182686935167 

7613 

b. compute v = Xi mod n. 

v = 334240353640598172939348833469460041559688182686935167 

7613 

c. v = r'.OK 


H.3.2. An Example With a 239-bit Prime p 

a. Elliptic Curve Parameter Setup 

1 . The field F p is generated by the prime 

p = 8834235323891921647916487503603088853144765972529603 

62792450860609699839 

2. The curve is E : y 2 = x 3 +ax+b over F , where 

p 


seed = 

E43BB460 

F0B80CC0 

C0B07579 

8E948060 

F8321B7D 


r = 

28B8 

0957D6EF 

5EC1ECC1 

E78D3783 

9EFE769E 

B741A6D1 

BA29476A 

A5A8F261 

a = 

7FFF 

00007FFF 

FFFFFFFF 

FFFFFFFC 

FFFFFFFF 

FFFF7FFF 

FFFFFFFF 

80000000 

b = 

6B01 

37796185 

6C3BDCF1 

C2942C0A 

8941D0D6 

54921475 

CA71A9DB 

2FB27D1D 
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3. Generating point P (with point compression) 

020FFA 963CDCA8 816CCC33 B8642BED F905C3D3 

27FBBD3B 3CB9AAAF 

P has prime order 

n = 883423532389192164791648750360308884807550341691627752 

275345424702807307 

h = 1 

b. Key Generation 

d = 876300101507107567501066130761671078357010671067781776 

716671676178726717 

Q = dP = (xq, }’q) (with point compression) 

025B6D C53BC61A 2548FFB0 F671472D E6C9521A 

E65ABFCB D5FE0C70 

c. Signature Generation 

M = “abc” 

1. Message digesting 

SHA-l is applied to M to get 

e=SHA-l (M)= 968236873715988614170569073515315707566766479517 


2. Elliptic curve computation 


a. select a k in the interval [2, n- 2] 

k = 700000017569056646655505781757157107570501575775705779 

575555657156756655 


b. compute R = kP = (x h y{) 

x x = 2CB7 F36803EB B9C427C5 8D8265F1 1FC50847 

FC279DE8 7 4FBECB0 

y x = 20C0 8272B9E6 C92B518A 5AC5EB28 35BE0102 

9304A6F7 C522B47B 

c. convert X\ to an integer Xi 

Xi = 3086361431751678114926225473006680188549593787585317781 

47462058306432176 


d. set r = Xi mod n. 

r = 3086361431751678114926225473006680188549593787585317781 

47462058306432176 


e. r# 0, OK. 

3. Modular computation 

a. compute s = k~\e + dr) mod n. 

s = 3238135532097973577080787768312505059318910517550078427 

81978505179448783 
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b. s * 0, OK. 

4. Signature formatting 

The signature is the two integers r and s. 

r = 3086361431751678114926225473006680188549593787585317781 

47462058306432176 

s = 3238135532097973577080787768312505059318910517550078427 

81978505179448783 

d. Signature verification 

1. Message digesting 

SHA-l is applied to M' to get 

e = SHA-l (M')= 968236873715988614170569073515315707566766479517 

Elliptic curve computation 

r' is in interval [1, n-Y\, OK 
s' is in interval [1, n-1], OK. 
compute c=(s ') 1 mod n 

c = 8318434183329783904630100218433505818924808486364081047 

06147767766249764 

d. compute u Y = ec mod n and u 2 = r'c mod n 

U! = 1240649650520141946221593380973875629547881176383835030 

89995672152118745 

u 2 = 8113637361407544654075443412683824214386872140938978502 

39246340491822539 

e. compute (xi, y{) = U\P+u 2 Q 


UxP = 

64C4 

E4B7ED99 

29FAF03D 

37F62D1F 

C1707700 

D2011D43 

9836B4C7 

12DCFFD8 


6580 

004AA596 

DE1A6ECE 

60800F48 

DFD78353 

8C7C9D83 

98BAE8B5 

A697EEFD 

u 2 Q = 

3DCA 

523B7994 

0CAFD86C 

AFC92D9D 

59DDD9FC 

251A2073 

9F698451 

68F5922E 


5532 

AFFE63AC 

B0A717E9 

1F5BC8FE 

45EED3D8 

AD1C26AB 

37907E94 

2833CD22 

U \P + 

*1 = 

u 2 Q = (xj, 

2CB7 

FC279DE8 

F36803EB 

74FBECB0 

B9C427C5 

8D8265F1 

1FC50847 

47133078 

yi = 

20C0 

9304A6F7 

8272B9E6 

C522B47B 

C92B518A 

5AC5EB28 

35BE0102 

809D77E6 


2 . 

a. 

b. 

c. 
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3. Signature check 

a. convert X\ to an integer Xi 

X\ = 3086361431751678114926225473006680188549593787585317781 

47462058306432176 

b. compute v = Xi mod n. 

v = 3086361431751678114926225473006680188549593787585317781 

47462058306432176 

c. v = /'.OK 

H.4. Sample Elliptic Curves over the Field F 2 m 

This section presents sample curves over various fields F 2 m which may be used to ensure the correct 
implementation of this Standard. 

The curves over the fields F 2 1 6 3 , F 2 1 9 1 , F 2 239 and F 2 359 were generated verifiably at random using the 
method described in Section F.3.3.a. 

The curves over the fields F 2 176 , F 2 20S , F 2 212 , fl 304 and F 2 368 were generated using the Weil Theorem (see 
Note 6 in Section F.3.2). 

The curve over the field F 2 43 1 was generated at random (but not using the method described in Section 
F.3.3.a). 

H.4.1. 3 Examples With m = 163 

Elliptic Curve Parameter Setup (pentanomial basis) 

1. The field F 2 l 63 is generated by the irreducible pentanomial 


f = 

08 

00000000 

00000000 

00000000 

00000000 

00000107 

2. The curve is E : y 2 +xy 

1 = x 3 +ax 2 +b 

over TV 63 




Example 1. 







seed = 

D2C0FB15 

760860DE 

F1EEF4D6 

96E67687 

56151754 


a = 

07 

2546B543 

5234A422 

E0789675 

F432C894 

35DE5242 

b = 

00 

C9517D06 

D5240D3C 

FF38C74B 

20B6CD4D 

6F9DD4D9 

Generating point P (with point compression) 

0307 AF699895 46103D79 

32 9FCC3D 

74880F33 

BBE803CB 

Order of P 

n = 04 

00000000 

00000000 

0001E60F 

C8821CC7 

4DAEAFC1 

h = 

02 






Example 2. 







seed = 

53814C05 

0D44D696 

E6768756 

1517580C 

A4E29FFD 


a = 

01 

08B39E77 

C4B108BE 

D981ED0E 

890E117C 

511CF072 

b = 

06 

67ACEB38 

AF4E488C 

407433FF 

AE4F1C81 

1638DF20 
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Generating point P (with point compression) 



0300 

24266E4E 

B5106D0A 

964D92C4 

860E2671 

DB9B6CC5 

Order of P 

n = 

h = 02 

03 

FFFFFFFF 

FFFFFFFF 

FFFDF64D 

E1151ADB 

B78F10A7 

Example 3. 







seed = 50CBF1D9 

5CA94D69 

6E676875 

615175F1 

6A36A3B8 


a = 

07 

A526C63D 

3E25A256 

A007699F 

5447E32A 

E456B50E 

b = 

03 

F7061798 

EB99E238 

FD6F1BF9 

5B48FEEB 

4854252B 

Generating point P (with point compression) 

0202 F9F87B7C 574D0BDE 

CF8A22E6 

524775F9 

8CDEBDCB 

Order of P 

n = 

h = 02 

03 

FFFFFFFF 

FFFFFFFF 

FFFE1AEE 

140F110A 

FF961309 


H.4.2. Example With m = 176 

Elliptic Curve Parameter Setup (pentanomial basis) 

1. The field F 2 116 is generated by the irreducible pentanomial 

f = 010000 00000000 00000000 00000000 00000800 00000007 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over F 2 116 . 

Example 1. 

seed = NO 


a = 

E4E6 DB299506 

5C407D9D 

39B8D096 

7B96704B 

A8E9C90B 

b = 

5DDA 470ABE64 

14DE8EC1 

33AE28E9 

BBD7FCEC 

0AE0FFF2 

Generating point P (with point compression) 





038D16 C2866798 

B600F9F0 

8BB4A8E8 

60F3298C 

E04A5798 

Order of P 






n = 

01 00925373 

97ECA4F6 

145799D6 

2B0A19CE 

06FE26AD 


h = FF6E 

H.4.3. 5 Examples With m = 191 

a. Elliptic Curve Parameter Setup (trinomial basis) 

1. The field F 2 1 9 is generated by the irreducible trinomial 

f = 80000000 00000000 00000000 00000000 00000000 00000201 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over f 2 19 1 . 
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Example 1. 


seed 

= 4E13CA54 2744D696 

E6768756 

1517552F 

279A8C84 


a = 

2866537B 67675263 

6A68F565 

54E12640 

276B649E 

F7526267 

b = 

2E45EF57 1F00786F 

67B0081B 

9495A3D9 

5462F5DE 

0AA185EC 

Generating point P (with point compression) 

02 36B3DAF8 A23206F9 

4AE1AA0D 

C4F299D7 

B21A9C36 

9137F2C8 

Order of P 





n = 

40000000 00000000 

00000000 

04A20E90 

C39067C8 

93BBB9A5 

h = 

02 





Example 2. 






seed 

= 0871EF2F EF24D696 

E6768756 

151758BE 

E0D95C15 


a = 

40102877 4D7777C7 

B7666D13 

66EA4320 

71274F89 

FF01E718 

b = 

0620048D 28BCBD03 

B6249C99 

182B7C8C 

D19700C3 

62C46A01 

Generating point P (with point compression) 

02 3809B2B7 CC1B28CC 

C9E3BF10 

5A87926A 

AD83FD28 

789E81E2 

Order of P 





n = 

20000000 00000000 

00000000 

50508CB8 

9F652824 

E06B8173 

h = 

04 





Example 3. 






seed 

= E053512D C684D696 

E6768756 

15175067 

AE786D1F 


a = 

6C010747 56099122 

22105691 

1C77D77E 

77A777E7 

E7E77FCB 

b = 

71FE1AF9 26CF8479 

89EFEF8D 

B459F663 

94D90F32 

AD3F15E8 

Generating point P (with point compression) 

03 375D4CE2 4FDE4344 

38A926DD 

89DE8746 

E7178601 

5009E66E 

Order of P 





n = 

15555555 55555555 

55555555 

610C0B19 

6812BFB6 

288A3EA3 


h = 06 

b. Elliptic Curve Parameter Setup (optimal normal basis) 

1. The field F 2 l 91 is generated by the irreducible polynomial 

f = D1010001 00000001 00000000 00000001 D1010001 00000001 
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2. The curve is E : y 2 +xy = x 3 +cuc 2 +b over F 2 191 . 

Example 4. 

seed = A399387E AE54D696 E6768756 151750E5 8B416D57 

a = 65903E04 E1E49242 53E26A3C 9AC28C75 8BD8184A 3FB680E8 

b = 54678621 B190CFCE 282ADE21 9D5B3A06 5E3F4B3F FDEBB29B 

Generating point P (with point compression) 

02 5A2C69A3 2E8638E5 1CCEFAAD 05350A97 8457CB5F 

B6DF994A 

Order of P 

n = 40000000 00000000 00000000 9CF2D6E3 901DAC4C 32EEC65D 

h = 02 

Example 5. 

seed = 2D88F7BC 545794D6 96E67687 56151759 73391555 

a = 25F8D06C 97C82253 6D469CD5 170CDD7B B9F500BD 6DB110FB 

b = 75FF570E 35CA94FB 3780C261 9D081C17 AA59FBD5 E591C1C4 

Generating point P (with point compression) 

03 2A16910E 8F6C4B19 9BE24213 857ABC9C 992EDFB2 

471F3C68 

Order of P 

n = 0FFFFFFF FFFFFFFF FFFFFFFF EEB354B7 270B2992 B7818627 

h = 08 

H.4.4. Example With m = 208 

Elliptic Curve Parameter Setup (pentanomial basis) 

1. The field F 2 20S is generated by the irreducible pentanomial 

f = 010000 00000000 00000000 00000000 00080000 00000000 

00000007 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over F 2 2 08 . 

Example 1. 

seed = NO 

a = 0000 00000000 00000000 00000000 00000000 00000000 

00000000 

b = C861 9ED45A62 E6212E11 60349E2B FA844439 FAFC2A3F 

D1638F9E 

Generating point P (with point compression) 
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0289FD 

1ED1A57A 

FBE4ABE1 

93DF9559 

ECF07AC0 

CE78554E 

2784EB8C 

Order of P 

n = 01 

7E212F9D 

01BAF95C 

9723C57B 

6C21DA2E 

FF2D5ED5 

88BDD571 

h = FE48 






H.4.5. 5 Examples With m = 239 

a. Elliptic Curve Parameter Setup (trinomial basis) 

1. The field Fb 3 9 is generated by the irreducible trinomial 



f = 8000 

00000010 

00000000 

00000001 

00000000 

00000000 

00000000 

00000000 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over F 2 239 . 




Example 1. 






seed = D34B9A4D 

696E6768 

75615175 

CA71B920 

BFEFB05D 


a = 3201 

87757812 

0857077C 

5778AC76 

5431123A 

46B80890 

6756F543 

423E8D27 

b = 7904 

1FC383C4 

08F2EEDA 

22AA8C16 

F392B012 

EDEFB339 

2F30F432 

7C0CA3F3 

Generating point P (with point compression) 

025792 7098FA93 2E7C0A96 

7E7C8603 8552E91D 

D3FD5B7 0 

6EF7E5F5 

C156E16B 

Order of P 

n = 2000 

4993F1CA 

00000000 

D666E447 

00000000 

00000000 

000F4D42 

FFE1492A 

h = 04 






Example 2. 






seed = 2AA6982F 

DFA4D696 

E6768756 

15175D26 

6727277D 


a = 4230 

266479B7 

017757A7 

5654E65F 

67FAE423 

98569B74 

6325D453 

13AF0766 

b = 5037 

45722F03 

EA654196 

EACDB74B 

CFF0CD82 

B2C14A2F 

CF2E3FF8 

775285B5 

Generating point P (with point compression) 

0228F9 D04E9000 69C8DC47 

F5709F20 0C4CA205 

A08534FE 

76D2B900 

B7D7EF31 

Order of P 

n = 1555 

E3FCDF15 

55555555 

4624522D 

55555555 

55555555 

553C6F28 

85259C31 
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h = 06 


Example 3. 



seed = 

9E076F4D 

696E6768 

75615175 

E11E9FDD 

77F92041 



a = 

0123 

87666D87 

8774666A 

66C66A9F 

67766D66 

76F778E6 

76B66999 

176666E6 


b = 

6A94 

41B8E441 

1977BA9F 

11DE1D40 

6A435199 

ACFC5106 

7ED587F5 

19C5ECB5 


Generating point P (with point compression) 

0370F6 E9D04D28 9C4E8991 

D539BF1B DE4E9C92 

3CE3530B 

FDE90397 

7D42B146 


Order of P 







n = 

OCCC 

3EF9888B 

CCCCCCCC 

8A0E4CFF 

CCCCCCCC 

CCCCCCCC 

CCAC4912 

D2D9DF90 


h = 

0A 






b. 

1. 

Elliptic Curve Parameter Setup (optimal normal basis) 

The field F 2 239 is generated by the irreducible polynomial 




f = 

D1010001 

00000001 

D1010000 

D1010000 

00000001 

D1010000 

00000000 

00000000 

2. 

The curve is E : y 2 +xy = x 3 +ax 2 +b 

over F 2 239 . 




Example 4. 








seed = 

F851638C 

FA4D696E 

67687561 

51755651 

3841BFAC 



a = 

182D 

BAECDE8B 

D45F5D47 

B3ADCE30 

0239B898 

3FEA47B8 

B2 92 64 1C 

57F9BF84 


b = 

147A 

A2A524BF 

9C1D4C2C 

DE91EF28 

E9BE5D34 

EC02797F 

76667EBA 

D5A3F93F 


Generating point P (with point compression) 

034912 AD657F1D 1C6B32ED 

FDEA0D72 197C8104 

B9942C95 

E226B06F 

B012CD40 


Order of P 







n = 

2000 

30931D0B 

00000000 

455AAE8B 

00000000 

00000000 

00474F7E 

69F42FE4 


h = 

04 






Example 5. 








seed = 

2C04F44D 

696E6768 

75615175 

C586B41F 

6CA150C9 



a = 

1ECF 

F94A3F36 

1B9D28D8 

124A486E 

017505E1 

7475D3DF 

2982E243 

CA5CB5E9 
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b = 3EE2 57250D1A 2E66CEF2 3AA0F25B 12388DE8 A10FF955 

4F90AFBA A9A08B6D 

Generating point P (with point compression) 

021932 79FC543E 9F5F7119 189785B9 C60A249B E4820BAF 

6C24BDFA 2813F8B8 

Order of P 

n = 1555 55555555 55555555 55555555 558CF77A 5D0589D2 

A9340D96 3B7AD703 

h = 06 

H.4.6. Example With m = 272 

Elliptic Curve Parameter Setup (pentanomial basis) 

1. The field F 2 21 2 is generated by the irreducible pentanomial 

f = 010000 00000000 00000000 00000000 00000000 00000000 

00000000 01000000 0000000B 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over F 2 272 • 

Example 1. 

seed = NO 

a = 91 A0 91F03B5F BA4AB2CC F49C4EDD 220FB028 712D42BE 

752B2C40 094DBACD B586FB20 

b = 7167 EFC92BB2 E3CE7C8A AAFF34E1 2A9C5570 03D7C73A 

6FAF003F 99F6CC84 82E540F7 

Generating point P (with point compression) 

026108 BABB2CEE BCF78705 8A056CBE 0CFE622D 7723A289 

E08A07AE 13EF0D10 D171DD8D 

Order of P 

n = 01 00FAF513 54E0E39E 4892DF6E 319C72C8 161603FA 

45AA7B99 8A167B8F 1E629521 

h = FF06 

H.4.7. Example With m = 304 

Elliptic Curve Parameter Setup (pentanomial basis) 

1. The field F 2 304 is generated by the irreducible pentanomial 

f = 010000 00000000 00000000 00000000 00000000 00000000 

00000000 00000000 00000000 00000807 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over T^ 304 - 

Example 1. 

seed = NO 

a = FD0D 693149A1 18F651E6 DCE68020 85377E5F 882D1B51 

0B441600 74C12880 78365A03 96C8E681 
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b = BDDB 97E555A5 0A908E43 B01C798E A5DAA678 8F1EA279 

4EFCF571 66B8C140 39601E55 827340BE 

Generating point P (with point compression) 

02197B 07845E9B E2D96ADB 0F5F3C7F 2CFFBD7A 3EB8B6FE 

C35C7FD6 7F26DDF6 285A644F 740A2614 

Order of P 

n = 01 01D55657 2AABAC80 0101D556 572AABAC 8001022D 

5C91DD17 3F8FB561 DA689916 4443051D 

h = FE2E 

H.4.8. Example With m = 359 

Elliptic Curve Parameter Setup (trinomial basis) 

1. The field F 2 3 59 is generated by the irreducible trinomial 

f = 80 00000000 00000000 00000000 00000000 00000000 

00000000 00000000 00000000 00000010 00000000 00000001 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over F 2 359 . 

Example 1. 

seed = 2B354920 B724D696 E6768756 1517585B A1332DC6 

a = 56 67676A65 4B20754F 356EA920 17D94656 7C466755 

56F19556 A04616B5 67D223A5 E05656FB 549016A9 6656A557 

b = 24 72E2D019 7C49363F 1FE7F5B6 DB075D52 B6947D13 

5D8CA445 805D39BC 34562608 9687742B 6329E706 80231988 

Generating point P (with point compression) 

033C 258EF304 7767E7ED E0F1FDAA 79DAEE38 41366A13 

2E163ACE D4ED2401 DF9C6BDC DE98E8E7 07C07A22 39B1B097 

Order of P 

n = 01 AF286BCA 1AF286BC A1AF286B CA1AF286 BCA1AF28 

6BC9FB8F 6B85C556 892C20A7 EB964FE7 719E74F4 90758D3B 

h = 4c 

H.4.9. Example With m = 368 

Elliptic Curve Parameter Setup (pentanomial basis) 

1. The field F 2 36S is generated by the irreducible pentanomial 

f = 010000 00000000 00000000 00000000 00000000 00000000 

00000000 00000000 00000000 00200000 00000000 00000007 

2. The curve is E : y 2 +xy = x 3 +ax 2 +b over /A 368 . 

Example 1. 

seed = NO 

a = E0D2 EE250952 06F5E2A4 F9ED229F 1F256E79 A0E2B455 

970D8D0D 865BD947 78C576D6 2F0AB751 9CCD2A1A 906AE30D 
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b = FC12 17D4320A 90452C76 0A58EDCD 30C8DD06 9B3C3445 

3837A34E D50CB549 17E1C211 2D84D164 F444F8F7 4786046A 

Generating point P (with point compression) 

021085 E2755381 DCCCE3C1 557AFA10 C2F0C0C2 825646C5 

B34A394C BCFA8BC1 6B22E7E7 89E927BE 216F02E1 FB136A5F 

Order of P 

n = 01 0090512D A9AF72B0 8349D98A 5DD4C7B0 532ECA51 

CE03E2D1 0F3B7AC5 79BD87E9 09AE40A6 F131E9CF CE5BD967 

h = FF70 

H.4.10. Example With m = 431 

Elliptic Curve Parameter Setup (trinomial basis) 

1. The field F 2 4 31 is generated by the irreducible trinomial 


f = 8000 

00000000 
00000000 

00000000 

00000000 

00000001 

00000000 

00000000 

00000000 

00000000 

00000000 

01000000 

00000000 

00000000 

2. The curve is E : y~+xy 

= x 3 +ax 2 +b over F 2 43 1 . 




Example 1. 






seed = NO 






a = 1A82 

AD2CF32A 
68DF104D 

7EF00DD6 

0CADBDC9 

E296CD8F 

FC0E234C 

DDF620B0 

AF046C6A 

EB9906D0 

5D8A8539 

957F6C6F 

5B236CC4 

EACD6154 

b = 10D9 

37DDC9DE 
381FB5D8 

B4A3D904 

DA982A67 

07BF2618 

7D8B1543 

9A5A919B 

59ABFB1B 

626D4E50 

7F5485B0 

A8DD731B 

4CEB8682 

107A9962 

Generating point P (with point compression) 

02 12 OF C05D3C67 A99DE161 
4758714E 8A87BBF2 A658EF8C 
C247B0DB D70CE6B7 

D2F40926 

21E7C5EF 

22FECA70 

E965361F 

1BE4F50F 

6C2999C0 

Order of P 

n = 03 

03403403 
161CC149 

40340340 

40340323 

C1AD4A91 

34034034 

C313FAB5 

03403403 

0589703B 

40340340 

5EC68D35 

34034034 

87FEC60D 

h = 2760 







H.5. Sample Elliptic Curves over the Field F p 

This section presents sample curves over 192-bit, 239-bit and 256-bit prime fields F p which may be used to 
ensure the correct implementation of this Standard. 

The curves were generated verifiably at random using the method described in Section F.3.3.b. 

H.5.1. 3 Examples With a 192-bit Prime 
Elliptic Curve Parameter Setup 

1 . The field F p is generated by the prime 
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p = 627710173538668076383578942320766641608390870039032496 

1279 

2. The curve is E : y 2 = x’+ax+b over F p . 

Example 1. 


seed = 

3045AE6F 

C8422F64 

ED579528 

D38120EA 

E12196D5 


r = 

3099D2BB 

BFCB2538 

542DCD5F 

B078B6EF 

5F3D6FE2 

C745DE65 

a = 

FFFFFFFF 

FFFFFFFF 

FFFFFFFF 

FFFFFFFE 

FFFFFFFF 

FFFFFFFC 

b = 

64210519 

E59C80E7 

0FA7E9AB 

72243049 

FEB8DEEC 

C146B9B1 

Generating point P 

03 

82FF1012 

(with point compression) 

188DA80E B03090F6 

7CBF20EB 

43A18800 

F4FF0AFD 

Order of P 






n = 

FFFFFFFF 

FFFFFFFF 

FFFFFFFF 

99DEF836 

146BC9B1 

B4D22831 

h = 

01 






Example 2. 







seed = 

31A92EE2 

029FD10D 

901B113E 

990710F0 

D21AC6B6 


r = 

15038D1D 

2E1CAFEE 

0299F301 

1C1DC75B 

3C2A86E1 

35DB1E6B 

a = 

FFFFFFFF 

FFFFFFFF 

FFFFFFFF 

FFFFFFFE 

FFFFFFFF 

FFFFFFFC 

b = 

CC22D6DF 

B95C6B25 

E49C0D63 

64A4E598 

0C393AA2 

1668D953 

Generating point P 

03 

6F48034A 

(with point compression) 

EEA2BAE7 E1497842 

F2DE7769 

CFE9C989 

C072AD69 

Order of P 






n = 

FFFFFFFF 

FFFFFFFF 

FFFFFFFE 

5FB1A724 

DC804186 

48D8DD31 

h = 

01 






Example 3. 







seed = 

C4696844 

35DEB378 

C4B65CA9 

591E2A57 

63059A2E 


r = 

25191F95 

024D8395 

46D9A337 

5639A996 

7D52F137 

3BC4EE0B 

a = 

FFFFFFFF 

FFFFFFFF 

FFFFFFFF 

FFFFFFFE 

FFFFFFFF 

FFFFFFFC 

b = 

22123DC2 

395A05CA 

A7423DAE 

CCC94760 

A7D46225 

6BD56916 


Generating point P (with point compression) 
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02 7D297781 00C65A1D A1783716 588DCE2B 8B4AEE8E 

228F1896 

Order of P 

n = FFFFFFFF FFFFFFFF FFFFFFFF 7A62D031 C83F4294 F640EC13 

h = 01 

H.5.2. 3 Examples With a 239-bit Prime 
Elliptic Curve Parameter Setup 

1 . The field F p is generated by the prime 

p = 883423532389192164791648750360308885314476597252960362 

792450860609699839 

2. The curve is E : y 2 = x+ax+b over F p . 


Example 1. 


seed = 

E43BB460 

F0B80CC0 

C0B07579 

8E948060 

F8321B7D 


r = 

28B8 

0957D6EF 

5EC1ECC1 

E78D3783 

9EFE769E 

B741A6D1 

BA29476A 

A5A8F261 

a = 

7FFF 

00007FFF 

FFFFFFFF 

FFFFFFFC 

FFFFFFFF 

FFFF7FFF 

FFFFFFFF 

80000000 

b = 

6B01 

37796185 

6C3BDCF1 

C2942C0A 

8941D0D6 

54921475 

CA71A9DB 

2FB27D1D 

Generating point P (with point compression) 

020FFA 963CDCA8 816CCC33 

27FBBD3B 3CB9AAAF 

B8642BED 

F905C3D3 

58573D3F 

Order of P 

n = 7FFF 

FBD15226 

FFFFFFFF 

88909D0B 

FFFFFFFF 

FFFF7FFF 

FF9E5E9A 

9F5D9071 

h = 

01 






Example 2. 







seed = 

E8B40116 

04095303 

CA3B8099 

982BE09F 

CB9AE616 


r = 

1DF4 

7A6BA76E 

91E44E7C 

86713D52 

CAF4D1EA 

D8A6B90D 

AE09E0D3 

3F2C6CFE 

a = 

7FFF 

00007FFF 

FFFFFFFF 

FFFFFFFC 

FFFFFFFF 

FFFF7FFF 

FFFFFFFF 

80000000 

b = 

617F 

8C7AE84C 

AB683257 

8C832F2C 

6CBBFED5 

0D99F024 

9C3FEE58 

B94BA003 


Generating point P (with point compression) 

0238AF 09D98727 705120C9 21BB5E9E 26296A3C DCF2F357 

57A0EAFD 87B830E7 
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Order of P 


n = 

7FFF 

14C03821 

FFFFFFFF 

BC582063 

FFFFFFFF 

FFFF8000 

00CFA7E8 

h = 

01 





Example 3. 

seed = 

7D737416 

8FFE3471 

B60A8576 

86A19475 

D3BFA2FF 

r = 

3A4F 

C2E49861 

9DC9A6CE 

8DC58330 

FD5F9D11 

93B9C996 

8C202430 

a = 

7FFF 

00007FFF 

FFFFFFFF 

FFFFFFFC 

FFFFFFFF 

FFFF7FFF 

FFFFFFFF 

b = 

2557 

8717D9BA 

05FA2A30 

15AB6D3E 

6654B1F4 

CB03D6A7 

50A30C25 

Generating point P (with point compression) 

036768 AE8E18BB 92CFCF00 

F854B1C9 505FE95A 

5C949AA2 

C6D94853 

Order of P 

n = 7FFF 

7C3C4321 

FFFFFFFF 

46526551 

FFFFFFFF 

FFFF7FFF 

FF975DEB 


h = 01 


H.5.3. 1 Example With a 256-bit Prime 
Elliptic Curve Parameter Setup 

1 . The field F p is generated by the prime 

p = 11579208921035624876269744694940757353008614341529031 

4195533631308867097853951 

2. The curve is E : y 1 = x 3 +ax+b over F p . 

Example 1. 


seed = 

C49D3608 

86E70493 

6A6678E1 

139D26B7 

819F7E90 

r = 

7EFBA166 

2985BE94 

03CB055C 

75D4F7E0 

CE8D84A9 


AF317768 

0104FA0D 




a = 

FFFFFFFF 

00000001 

00000000 

00000000 

00000000 


FFFFFFFF 

FFFFFFFC 




b = 

5AC635D8 

AA3A93E7 

B3EBBD55 

769886BC 

651D06B0 


3BCE3C3E 

27D2604B 




Generating point P 

= (x, y ) (without point compression) 


X = 

6B17D1F2 

E12C4247 

F8BCE6E5 

63A440F2 

77037D81 


F4A13945 

D898C296 





594377D4 

003C2819 

80000000 

0102D498 

D0E660BB 

41B3A605 


C5114ABC 

FFFFFFFF 

CC53B0F6 

2DEB33A0 
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y = 4FE342E2 

CBB64068 

FE1A7F9B 

37BF51F5 

8EE7EB4A 

7C0F9E16 

2BCE3357 

6B315ECE 

Order of P 

n = FFFFFFFF 

F3B9CAC2 

00000000 

FC632551 

FFFFFFFF 

FFFFFFFF 

BCE6FAAD 

A7179E84 


h = 01 
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Appendix I Small Example of the ECDSA 

[Informative] 

1.1. System Setup 

The underlying finite field is ^23> and the elliptic curve is y 2 = x 3 + x + 1, as described in Example 5 in 
Section C.3. The point P = (x P , v P ) = (13, 7) is selected. Since IP = 6 , the point P has order n = 7. 

The system parameters (the public information) are: 
t the field F 13 , 

t the curve E, 

t the point P, and 

t the order n = 7 

t the cofactor h = 4. 

1.2. Key Generation 

Entity A performs the following operations. 

1. A selects a random integer d = 3 in the interval [2, n - 2] = [2, 5], 

2. A computes the point Q = dP = 3(13, 7) = (17, 3). 

3. A makes public the point Q. 

4. A' s private key is the integer d =3. 

1.3. Signature Generation for ECDSA 

Entity A signs message M = 1 110001 101011 1100. 

Suppose that the decimal representation of the hash value H(M) is e = 6. 

Entity A: 

1. selects a random integer k = 4 in the interval [2, n - 2] = [2, 5], 

2. computes: 

(xu yi) = kP 

= 4(13,7) 

= (17, 20). 

3. represents Vi as the integer A' =17. 

4. sets r = Xi mod n = 17 mod 7 = 3. 

5. computes: 

s = k \e + dr) mod n 

= 4 _1 (6 + 3 t 3) mod 7 
= 2(15) mod 7 
= 2 . 

The signature on message M is (r, s) = (3, 2). 

1.4. Signature Verification for ECDSA 

Entity B verifies signature (r' , s') = (3, 2) on M as follows. 

Entity B: 

1. looks up A' s public key Q = (17, 3). 

2. computes e = 7, the decimal representation of H(M). 
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3. computes: 

c = (s' )'* mod n 
= 2" 1 mod 7 
= 4. 

4. computes 

u i = ec mod n 
= 6-4 mod 7 
= 3 
and 

u 2 = r' c mod n 
= 3-4 mod 7 
= 5. 

1 . computes the point: 

(x h >-,) = UiP + u 2 Q = 3P + 5Q = 3(13, 7) + 5(17, 3) = (17, 20). 

6. represents as the integer X\ = 17. 

7. computes v = X\ mod n = 17 mod 7 = 3. 

8. accepts the signature since v = r' = 3. 
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